Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Security is a vital concern. It is wise to think carefully about the data and logic exposed on the client. How can we refine these sentiments into a concrete question suitable for an SO answer?</p> <p>Nothing about Breeze should cause you to expose business logic to the JavaScript client. You can (and should) lock such logic safely inside your repositories and/or controller methods.</p> <p>But I struggle to understand how client <strong><em>queries themselves</em></strong> are the kinds of business logic that need protecting. Where's the danger in a query for a customer whose name begins with 'A'? </p> <p>You may rightly worry about a query for customers with net worth > $100,000. But the fault is not in the query. The fault would be in exposing such customer information to unauthorized users <em>by any means</em>, whether through a Breeze <em>where</em> clause appended to a query or a call to a service named <em>GetCustomers()</em>.</p> <p>The place to block unauthorized access to customers is on the server and you can do that as easily inside a Breeze controller action method returning <em>IQueryable</em> as you can in your <em>GetCustomer()</em> method. The burden falls on you in either case to impose the necessary security constraints on your controller and within the methods that you expose. </p> <p>You write the controller. You write the repositories. You have access to the user's permissions. You are in complete control with an uncompromised ability to expose as much or as little as you wish. </p> <p>FWIW, your Breeze <em><code>EntityManager</code></em> can call service methods that do not return <code>IQueryable&lt;Customer&gt;</code>. It can call Web Api controller methods such as <em><code>IEnumerable&lt;Customer&gt; GetCustomers()</code></em> or <em><code>Product GetProductForId(int id)</code></em>. In my opinion you will lose the flexibility of Breeze's query facilities without gaining any security. But that's just my opinion. Breeze will support your choice, whatever it may be.</p> <p>I'd be happy to try to answer a more specific "how to" question.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload