M# Tutorials

Learn to build .NET applications with M#. Our step-by-step tutorials will get you up-to-speed rapidly.
If you already know ASP.NET and C#, you can master M# in a week or two.

Action Based Security

In previous security related tutorials we discussed traditional security measures, such as authentication and authorisation . But we often need to impose business rules for a particular action and in this tutorial we will learn how we can enforce security using pure business logic.

Let’s take an example of a login process, where we usually match the user id and then password, allowing the user to login if authenticated. Often we need to perform further steps e.g. to ensure that the email addresses provided are legitimate or the user being authenticated is not deactivated etc. For this purpose we build logic to validate an email address by sending activation URL.

In order to handle the above scenarios, we will further develop the “Employee” entity type discussed in earlier tutorials. We want to ensure that only active employees should be able to login. For this purpose, a new “Boolean” type property “IsActive” is added to the “Employee” entity (For more details on creating entities and adding properties, please read tutorials Entity, Page, Module and Properties), as shown below:

Now, we need to implement the logic to restrict inactive employees from login. We have implemented a new method “CanLogin” in the business logic partial class of our “Employee” entity type. We are not going to use the “IsActive” property directly on the UI to enforce security because Login is an action, which might require other validations as well in future, so using “IsActive” property now will require us to change it at a later stage and doesn’t provide a meaningful logic.

It is recommend that you should always create methods for individual actions e.g. updating an instance for specific actions, writing validation rules or enforcing business logic etc. The logic of creating individual methods for specific actions is more useful in scenarios of inheritance, where some business objects get privilege to override the business rule.

M# provides “Criteria. Rule” and “Visibility. Rule” attributes for actions and elements respectively. These attribute are used to provide custom action based security. In this tutorial, we will use “Criteria. Rule” attribute on a button action to display a message if the user is inactive (Button actions are explained in chapter Button Actions), as shown below:

As the code demonstrated above, rules are generated as conditional statements by M#. Similarly rule attributes can be used to control any element’s visibility or any action’s execution.