Ability to verify that a transient object was created by the session


The idea here is that a transient object representation would include some encrypted hash (perhaps just as an extension) generated by the server, and which incorporates the domain object type, together with all the values of any properties that are either hidden or disabled. When an attempt is made to persist an object, the framework could check this value to confirm that it was generated by the same session and that none of the hidden/disabled values have been changed.

Apart from plugging some more obscure holes, this solves another quite simple issue: how to control authorization for persisting objects - given that a rogue user could easily construct a representation of a transient object and persist it. With this new capablity the user could only persist a transient object that had been created by the system i.e. returned by some action - for which it is straightforward to manage authorization.
Closed May 9, 2013 at 3:57 PM by RichardPawson