WCF Data Services/Entity Framework : Logging client's username, Authentication, Authorization

Question

I am using Entity Framework with WCF Data Services and I have the following table in my database :

Table Contract

• Id (int)
• Name (varchar)
• byUser (varchar)
• isDeleted (bit)

Entity Framework class

• Id (int)
• Name(string)
• byUser(string)
• isDeleted(boolean)

whenever the user is inserting/updating/deleting a contract(through a client app), I need to log who did the action.

so, I created Stored procedures for insert/update/delete that will receive the username from the client when an insertion/deletion/update is performed.

the issue is that the delete operation does not send over who is performing the operation :

        var ctx = Context;
        var contractToDelete = ctx.Contracts.Where(c => c.ContractId == 1).First();
        contractToDelete.ByUser = username;
        ctx.DeleteObject(contractToDelete);
        ctx.SaveChanges();

at the server side, the byUser is always null.

Questions :

1) How do I make it so that the byUser parameter is sent to the server ?

2) Is there a better way to handle this kind of scenario ? (logging/authentication/authorization) with Entity Framework

Answer 1

It doesn't send null "always". It sends the old value always. That is some internal logic in entity framework. For each tracked object EF keeps both original and current values. When you are deleting object EF doesn't use current values - it uses original values (don't ask me why, simply this is how it works).

So you need to cheat EF:

var ctx = Context;
var contractToDelete = ctx.Contracts.Where(c => c.ContractId == 1).First();
contractToDelete.ByUser = username;
ctx.Contracts.ApplyOriginalValues(contractToDelete);
ctx.DeleteObject(contractToDelete);
ctx.SaveChanges();

Calling ApplyOriginalValues will force EF to override original values with values passed in parameter = you will override original values with current values.

In my opinion the better way is storing deleted records in separate table because it will avoid a lot of problems with passing isDeleted=false to every query where both eager and lazy loading will load deleted records as well. The only way to avoid problems with isDeleted is using conditional mapping but in such case you will not be able to load deleted records even if you want to unless you use stored procedures or direct SQL queries.

Answer 2

The way I managed this is, when my user logs in, I store basic information about them in the session. I then have a class that sits on top of my actions to context.

Whenever I commit back changes, I go through the same routine which checks what changed. I developed the ability to trigger actions based upon the entity being worked with (so I can keep an eye on something such as contracts). Then I have the user able to be logged.

[Edit]

This is tougher to clarify than I realised, but I'll try.

I'm creating a web application. Heavily using Ninject.

When the user logs in, I store their information in an IUserSession object (this is really held in Session, but a custom Ninject scope makes this neat for me and prevents me from having to expose my data layer to Web Session). This user session object contains username, user id etc.

I created a class that contains the context,and wraps all the SELECT,CREATE,DELETE and COMMIT calls. i.e. SELECT;

public IQueryable<TEntity> All<TEntity>( ) {
  return Context.Set<TEntity>();
}

This class also has a Commit method, this is the call to SaveChanges.

Before calling SaveChanges, you have access to the changes in the form of Context.ChangeTracker.Entities

For each entity that has changed, you can test to see if it was added, deleted or modified.To get the type of the element being modified;

Type baseEntityType = ObjectContext.GetObjectType( entity.Entity.GetType( ) );

I do plan on writing up a tutorial soon, based upon my personal experience with doing this (not that that helps you right now).