我想做的是当从Breeze调用SaveChanges web api时,我检查正在保存的实体类型,并确保用户具有添加/修改该实体类型的适当权限。到目前为止我所拥有的:
[HttpPost]
public SaveResult SaveChanges(JObject bundle)
{
_clientPortalContext.BeforeSaveEntitiesDelegate = ValidateSecurity;
return _clientPortalContext.SaveChanges(bundle);
}
private Dictionary<Type, List<EntityInfo>> ValidateSecurity(Dictionary<Type, List<EntityInfo>> saveMap)
{
List<EntityInfo> workItems;
if (saveMap.TryGetValue(typeof(WorkItem), out workItems))
{
if (workItems.Count(wi => wi.EntityState == Breeze.ContextProvider.EntityState.Added) > 0 && !Utilities.GetCurrentUser().HasPermission(1))
{
var errors = workItems.Select(wi => { return new EFEntityError(wi, "Not Authorized", "The current user is not authorized to create work items.", ""); });
throw new EntityErrorsException(errors);
}
}
return saveMap;
}
如果用户没有权限,这确实可以防止发生保存。它还向浏览器返回403错误,这很好。但它也从Breeze中抛出了某种例外。我想知道我做错了什么,这样我才能防止Breeze异常。
POST http://localhost:14307/breeze/WorkItem/SaveChanges 403 (Exception of type 'Breeze.ContextProvider.EntityErrorsException' was thrown.) angular.js:8380
TypeError: Cannot read property 'map' of undefined
at ctor._prepareSaveResult (http://localhost:14307/Scripts/breeze.debug.js:15625:43)
at Object.breeze.AbstractDataServiceAdapter.ctor.saveChanges.ajaxImpl.ajax.success (http://localhost:14307/Scripts/breeze.debug.js:14822:43)
at successFn (http://localhost:14307/Scripts/breeze.debug.js:15025:20)
at http://localhost:14307/scripts/angular.js:7946:11
at deferred.promise.then.wrappedCallback (http://localhost:14307/scripts/angular.js:11319:81)
at http://localhost:14307/scripts/angular.js:11405:26
at Scope.$get.Scope.$eval (http://localhost:14307/scripts/angular.js:12412:28)
at Scope.$get.Scope.$digest (http://localhost:14307/scripts/angular.js:12224:31)
at Scope.$get.Scope.$apply (http://localhost:14307/scripts/angular.js:12516:24)
at done (http://localhost:14307/scripts/angular.js:8204:45) undefined