Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Trying in get a QueryInterceptor to work RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I'd like to filter all rows that are retrieved from my table regardless of what any other query parameters are.  That is, for security purposes, I don't want the client to be able retrieive more rows than they are authorized to get.

    I tried the below but it does not seem to work.  Any suggestions?

    public class DefaultScopeSyncService : Microsoft.Synchronization.Services.SyncService<DefaultScopeOfflineEntities> {
    
    public static void InitializeService(Microsoft.Synchronization.Services.ISyncServiceConfiguration config) {
      // TODO: MUST set these values
      config.ServerConnectionString = ConfigurationManager.ConnectionStrings["svCodeCampConnectionString"].ConnectionString;
      config.SetEnableScope("*");
      // 
      // 
      // TODO: Optional.
      // config.SetDefaultSyncSerializationFormat(Microsoft.Synchronization.Services.SyncSerializationFormat.ODataJson);
      // config.SetConflictResolutionPolicy(Microsoft.Synchronization.Services.ConflictResolutionPolicy.ServerWins);
    }


    [QueryInterceptor("Sessions")]
    public Expression<Func<Sessions, bool>> QuerySessions()
    {
      return c => c.Id < 6;
    }

  }

     

    Peter Kellner http://peterkellner.net Microsoft MVP • ASPInsider
    Wednesday, July 7, 2010 4:40 AM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote

    I'd like to filter all rows that are retrieved from my table regardless of what any other query parameters are.  That is, for security purposes, I don't want the client to be able retrieive more rows than they are authorized to get.

    I think this should be done on the server side in the procedures which select the data for sync. Before any filtering on the client side can be applied the data has to be synced - and this something you explicitly dont want (if i got you right). 

    Please refer to the "Sync related tables" thread for a description of how to hack the provisioning and procedures in such a way - or feel free to ask again and i will try to give an example.

    HTH

     

    • Proposed as answer by Ganeshan Monday, July 19, 2010 10:01 PM
    • Marked as answer by Nina H Wednesday, July 21, 2010 11:40 PM
    Wednesday, July 7, 2010 6:49 AM

All replies

  • Question
    Sign in to vote
    1
    Sign in to vote

    I'd like to filter all rows that are retrieved from my table regardless of what any other query parameters are.  That is, for security purposes, I don't want the client to be able retrieive more rows than they are authorized to get.

    I think this should be done on the server side in the procedures which select the data for sync. Before any filtering on the client side can be applied the data has to be synced - and this something you explicitly dont want (if i got you right). 

    Please refer to the "Sync related tables" thread for a description of how to hack the provisioning and procedures in such a way - or feel free to ask again and i will try to give an example.

    HTH

     

    • Proposed as answer by Ganeshan Monday, July 19, 2010 10:01 PM
    • Marked as answer by Nina H Wednesday, July 21, 2010 11:40 PM
    Wednesday, July 7, 2010 6:49 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Peter,

    The focus for this release was the asym protocol and the client programming experience. We intentionally left out extensibility on the server. It seems you are intending on plugging in Query interceptors on the service ala WCF Data service and that is a good feedback. For the timebeing the only way to achieve custom filtering is by modifying the enum procs on the database.

     

    Maheshwar Jayaraman - http://blogs.msdn.com/mahjayar
    Wednesday, July 7, 2010 4:20 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello:

    About these thread, in my case need  use the interceptor for inject one parameter  for security for filter data in dataBase.

    Our database is posted in SQL Azure , and synchronizes data with one client  html5.

    The DataBase is MultiTenant for work with diferents clients then , in each  sinchronize need filter by @tennantId field.

    For Security I do not want to expose the TennanId at the client , the client not know , not need know the @tennantId.

    For this purpose, i think use the interceptor , for inject these @tennantId in the server side before the sync data.

    Is correct this way?

    should include the field TennantId to synchronize?

    Example:

     <SyncTable Name="[Entries]" GlobalName="" SchemaName="" IncludeAllColumns="true"
                            FilterClause="[side].TenantId = @TenantId AND [side].EmployeeId = @EmployeeId">
                            <SyncColumns>
                                <SyncColumn Name="EntryId" GlobalName="" SqlType="uniqueidentifier"
                                     IsPrimaryKey="true" IsNullable="false" />
                                <SyncColumn Name="TenantId" GlobalName="" SqlType="int" IsPrimaryKey="false"
                                    IsNullable="false" />
                                <SyncColumn Name="ProjectId" GlobalName="" SqlType="uniqueidentifier"
                                     IsPrimaryKey="false" IsNullable="false" />

    - if this is that, i can pun in the cliente in @tennantId one  value harcode ,and before in the interceptor change the harcode value in @tennantId  for one  valid value?.

     

    Thanks for you help.

    Jose Adrien
    Wednesday, November 30, 2011 4:52 PM