Hi guys, welcome to the second part of OData. In this post, I am going to cover some basic scenarios of OData security. Often we might come across scenarios in which we want to limit what the user input with OData filters. Or we can validate the query conditions provided by the users. Listing out different scenarios below:
Scenario1:- Allowing certain query operation only
You can limit your action to only allow a specific query only. For example, query that contains $top and $skip.
This can be easily done using an simple property called AllowedQueryOptions.
[Queryable(AllowedQueryOptions = AllowedQueryOptions.Skip | AllowedQueryOptions.Top)]
And the test result is :
here we can see that the system rejected the OData operation.
Scenario 2: Only want to order the results by certain property, nothing else
Order by any arbitrary properties could be slow and unwanted. Now we have a simple way to do that using AllowedOrderbyProperties.
[EnableQuery(AllowedOrderByProperties = “Name”)]
Now a request to https://localhost:44365/api/Bay/GetaAll/f20d7f05-8c93-42a7-b951-df8505b69de3/?$orderby=SortOrder will fail since it can’t be ordered by SortOrder property.
Scenario 4: Limit the value for $top
In the client driven paging scenario, sometimes the server might want to limit the maximum number of records that the client wants to request using $top. You can use MaxTop property in this case. For demo purpose, I have limited the maximum top values that can be returned to 2 in Bay controller’s GetAll method.
[EnableQuery(MaxTop = 2)]
And the results are:
Scenario 5: Only need eq comparison in $filter
If you know that your trusted clients only uses equal comparison inside the $filter. You should validate that as well using AllowedLogicalOperators. Here is how you can do it.
[EnableQuery(AllowedLogicalOperators = AllowedLogicalOperators.Equal)]
Now a request to https://localhost:44365/api/Bay/GetaAll/f20d7f05-8c93-42a7-b951-df8505b69de3?$filter=name eq ‘Bay 1’
will succeed, while a request to https://localhost:44365/api/Bay/GetaAll/f20d7f05-8c93-42a7-b951-df8505b69de3?$filter=sortOrder gt ‘1’ will fail since it does not allow gt.
Scenario 6: Do not need any of the arithmetic operations in $filter
OData URL convention supports a lot of convenient arithmetic operations. However, it is possible your scenario don’t need to use any of those. Now you can turn that off by setting AllowedArithmeticOperators to None.
[EnableQuery(AllowedArithmeticOperators = AllowedArithmeticOperators.None)]
Now a request to https://localhost:44365/api/Bay/GetaAll/f20d7f05-8c93-42a7-b951-df8505b69de3?$filter=name eq ‘Bay 1’ will succeed, while a request to https://localhost:44365/api/Bay/GetaAll/f20d7f05-8c93-42a7-b951-df8505b69de3?$filter=1 mul 5 gt 9 will fail.
That was it. Just try OData in your API method and experience its flexibility!
Thanks for reading!