We need to provide an API for an Activity Feed (think of Facebook) and we decided to give OData a try. We are using .NET so we went for WCF Data Service but we don't use Entity Framework (or any other ORM) so we will use the Reflection Provider. Because we have complex business logic for our retrieval methods we decided to expose them as service operations. However we want to expose Delete/Update and single entity selection as a normal OData REST resource. My question is how can we implement a data source for the reflection provider that restricts access to collections but allows access to single entities (requested by key), allows DELETE/PUT/POST verbs and also allows accessing child collections of single entities (i.e. service/Categories(1)/Products). Basically I only want to restrict access to base collections (i.e. service/Categories or service/Products)
1 Answers
5
votes
There isn't a great answer here.
There are two settings you can use inside InitializeService(..)
config.SetEntitySetAccessRule("Feed", EntitySetRights.ReadSingle);
config.SetEntitySetPageSize("Feed", 1);
Unfortunately neither do exactly what you want:
EntitySetRights.ReadSingle
limits you to returning just one object from that set. Which fails because it doesn't allow this /Categories(1)/Products AND it also allows /Categories?$filter=... to return a row.SetEntitySetPageSize
restricts the amount of initial load hitting the server to just one record but you can follow the $skiptoken to go and get the rest of the data one record at a time and just like (1) it allows arbitrary queries not just key predicates.
That leaves you with only one realistic option. Visiting the LINQ expression and working out if you allow what is being attempted.
Since you are using the Reflection provider, you basically need to wrap the IQueryables being returned from your 'context' class and look for invalid queries, before passing them on.
Not something for the fainted hearted.
If you do decide to go down that path you'll find my IQueryable wrapping example useful, and you should check out Viteks blog post series on Data Service expressions too.
Hope this helps
Alex (OData Program Manager)