There is an unsaved comment in progress. You will lose your changes if you continue. Are you sure you want to reopen the work item?
Ability to verify that a transient object was created by the session
The idea here is that a transient object representation would include some encrypted hash (perhaps just as an extension) generated by the server, and which incorporates the domain object type, together with all the values of any properties that are either
hidden or disabled. When an attempt is made to persist an object, the framework could check this value to confirm that it was generated by the same session and that none of the hidden/disabled values have been changed.
Apart from plugging some more obscure holes, this solves another quite simple issue: how to control authorization for persisting objects - given that a rogue user could easily construct a representation of a transient object and persist it. With this new capablity
the user could only persist a transient object that had been created by the system i.e. returned by some action - for which it is straightforward to manage authorization.