WCF Request Interceptors: Does this MSDN Check for Security Risk?

Question

WCF Request Interceptors: Does this MSDN Check for Security Risk?

If you look at this MSDN documentation, a sample appears with the following code:

// Define a change interceptor for the Products entity set.
[ChangeInterceptor("Products")]
public void OnChangeProducts(Product product, UpdateOperations operations)
{
    if (operations == UpdateOperations.Add ||
       operations == UpdateOperations.Change)
    {
        // Reject changes to discontinued products.
        if (product.Discontinued)  //<-- IS THIS BASED ON UNVERIFIED CLIENT DATA???
        {
            throw new DataServiceException(400,
                        "A discontinued product cannot be modified");
        }
    }
    else if (operations == UpdateOperations.Delete)
    {
        // Block the delete and instead set the Discontinued flag.
        throw new DataServiceException(400, 
            "Products cannot be deleted; instead set the Discontinued flag to 'true'"); 
    }
}

Look at the comment in all CAPS. My question is: "Is this line dependent on the data provided by the client ... and if so, what can we do to have a secure check"?

+2

security c # odata entity-framework wcf-security

CHI Coder 007 Nov 11 '10 at 1:20

source share

1 answer

Vitek Karas MSFT · Accepted Answer · 2010-11-11T06:59:14+0000

, . , . ( , ), . , . , , , / . . , EF, EF, ( ).

WCF Request Interceptors: Does this MSDN Check for Security Risk?

More articles: