I created middleware layer between the BL and the Entity Framework DAL for filtering the data by the user permission business logic in the application. My layer implements IObjectSet that have an instance of the "None filtered ObjectSet" and the filter expression is running whenever the ObjectSet is in use. All working grate, instead of the method "Include". I found a solution that create an extension method that convert the "None filtered ObjectSet" to ObjectQuery and use the ObjectQuery.Include method but this solution can cause a bypass of the permission filtering.
public IQueryable<TEntity> Include<TJoin>(string path)
{
if (_nonAuthorizedObjectSet is ObjectQuery<TEntity>)
{
var result = ((ObjectQuery<TEntity>)_nonAuthorizedObjectSet).Include(path);
return result as IQueryable<TEntity>;
}
}
For example:
Table name "Items" have columns {Item_Id,Owner,Item_Type_Id} This table have a permission logic that the user can only see the items that the Owner==user. Table "Item_Types" have no permission logic.
By doing: PermittedDAL. Items.ToArray() – get only the items that the current_user==Owner. Item_Types.Include("Items") Problem!! - I get all the items.
Thanks
EF does not support filtering eager loaded records (Include). Only main records can be filtered. If you need to filter relations you must either use custom projections or separate queries for each relation.