0

I have a unique requirement that I'm not sure how to handle. We are working with an underlying repository that allows for a quite a bit of flexibility with regards to parameters. The Controller services are injected as "service" objects into a "Service" Property for our controller classes and they wrap the calls to entity framework. eg. 

public UserController:ApiController{

  public IUserSvc Service {get;set}

  public UserController(IUserSvc service){
   this.Service=service;
  }

}

This part is handled by Autofac and all is well here.

Next, we have the standard GET,POST,PUT,DELETE,PATCH methods in the controller that accept a SINGLE user model. In other words, there is only ONE user model that is ever used, and therein lies the problem.

While the underlying service class just handles the passing of data back and forth, it pushes the requirement of the granular control of validation up the pipe. This isn't abnormal to me.

Given that we have a single API that uses models with validation attributes, we've run into an issue where different apps that call into the api require different types of validation. The model structure is fine. It's just that some properties, depending on "who you are" and what HTTPMethod is sent, either are or are not validated.

ex: 

public class User{

 public int UserID {get;set}

 public string Name {get;set;}

}

Let's take 2 scenarios: 1. Basic User 2. System User

As a basic user, UserID is required for: GET, PUT,PATCH ( and technically delete too but it's not used). It is not required for POST because that would be creating their own user.

As a system user, UserID is NOT required in GET but is required in PUT, PATCH, DELETE.

So I am having a hard time trying to figure out how to do this without making one api for Basic User with their own models and one for System User.

I wanted to keep this high in the pipe so I wasn't doing this in the controller api methods, i.e. Check roles/claims, create/cast/or otherwise map bound model to specific concrete model per role/claim and then run validation and THEN return model binding errors if any. That's a lot of gunk in the method and I would prefer this to be on an attribute of the method or api controller.

Is there any way to do a type of model binding and or model validation based on "who you are"? That could be by role or claim?

Hardrada
  • 728
  • 8
  • 19
  • How is your validation handled today? If you are using Data Validation attributes and the built in .NET mechanism for validating models, then have you considered building a validation layer that uses that same functionality but also allows for validation based on request method and user? – boosts Apr 20 '15 at 04:26
  • The original intent was to use the data annotations and I think we'll still go down that path as it's a nice fwk for assisting with validation. I have considered that scenario and my latest thought would require that I be able to change the model type during/after binding. That, I think, would require Interfaces for the models, casting or a type converter. Thoughts? – Hardrada Apr 20 '15 at 12:33
  • If your validation will depend solely on Data Annotations, then you can implement IValidatableObject for your models either within the [model](http://stackoverflow.com/questions/3400542/how-do-i-use-ivalidatableobject) definition, or by using a Validation Manager that takes in a generic object. However, as in my cases so far, I've had to check for data consistency by calling a database in some of my validation routines. If that might be a requirement for you, now or in the future, explicitly calling a Validator from your services or before passing data to the services will serve you better. – boosts Apr 20 '15 at 15:46
  • After some discussion this morning with my team, what we've come up with is a need for a way to have multiple data validation templates; sort of like the buddy classes concept but one class to define the model and multiple classes to define the validation template. My ideal would be to be able to run the validation in the pipeline but to predetermine what "buddy" class is used to validate. I don't know if this can be done, but it sounds plausible. – Hardrada Apr 20 '15 at 16:23

0 Answers0