I have a situation where I need to partially update a model because I want to return a model that has column level security. I am aware that dynamic update exists for non changing information using nHibernates dynamic updates.
I am trying to return some data from a model that has empty values from our secured web api. I don't want the data for some columns to ever reach the end user's system. The reason being is that I don't want data being in the system memory to meet compliance. So when a request for a model is sent to the api I will be returning partially filled models. Since the column level security will by dynamic as well I don't know which columns at the time of writing the application will be designated as non-viewable for a user. In other words the fields for the models will vary depending on user security configuration. What patterns are out there to get a partially filled model and allows me to leverage nHibernate without hacky approaches. I hope I was clear enough. I am stumped on a solution that doesn't require dynamic generation of update statements (non orm solution). This is a big deal for us to leverage nHibernate.
model definition: Customer { firstname; lastname; SSN;etc...}
// This is a customer that we don't want to reveal SSN for a non privileged user in the session. And we don't want to hide on frontend. We don't want webapi to send back any SSN.
WebAPI api = new api(); api.SetUserOfSession(SystemUserWithNoPrivilegesToReadSSN);
var customer = api.GetaCustomer(1000); // customer should not have SSN field filled and should be blank
// Get info from gui where SSN was obviously not changed and is blank but customer.firstname = "John"; // update any column besides SSN
api.Save(customer); // This should update firstname but SSN should obviously not get erased with a blank because we never sent it back.
So I expect that the customer object when not getting SSN field be saved to nHibernate which is running within the webapi to ignore the SSN in the update dynamically and not think it is "" because I sent it in. I obviously want to leverage what nHibernate does as an ORM and do not know ahead of time what fields will be data masked on retrieval.
Aucun commentaire:
Enregistrer un commentaire