Entity Framework (and other ORMs) are simplifying correspondence with relational databases, saving us from having to type enormous amounts of code. Still, we should not feel too confident about simplification offered by ORMs - not least relax about security.
In this demonstration, you will see one common pitfall where custom code is delegating all database-related work to Entity Framework, forgetting to constrain queries to only access objects to which authenticated user possesses permission. In the rest of the demonstration, we shall come to one coding pattern which ensures that every call into Entity Framework will always be secure out of the box.
22 июн 2021
