Repository Questions

Sep 14, 2007 at 11:31 PM
Tim,

Great work so far. I had time to quickly skim the repository & repository factory projects. I have a few comments/questions.

1. Is the sample application being positioned as a single-user or multi-user application? The repository factory implementation seems tuned for a single-user scenario. If one attempted to use the repository factory on a server (for example, within a web application), the repository factory would give out repositories to users with the same UOW shared between users (disaster).

2. What emphasis on security will you be placing on demonstrating within the sample? I peeked into the customer repository and the SQL demonstrated is subject to a SQL injection attack (unless the application is validating user input elsewhere). Perhaps security technique is not a key objective of the sample - and I would understand that.

I look forward to future progress on the sample!

Chris
Oct 19, 2007 at 4:51 AM
Chris, thank you for taking the time to review this code! Here are my answers to your questions, inline:

1. Is the sample application being positioned as a single-user or multi-user application? The repository factory implementation seems tuned for a single-user scenario. If one attempted to use the repository factory on a server (for example, within a web application), the repository factory would give out repositories to users with the same UOW shared between users (disaster).

Yes, it is tuned for a single-user application...it is a Smart Client application actually, so only one person would ever be using it at the same time on the client machine. The server application has a completely different domain, which I am not designing in this phase of the application.

2. What emphasis on security will you be placing on demonstrating within the sample? I peeked into the customer repository and the SQL demonstrated is subject to a SQL injection attack (unless the application is validating user input elsewhere). Perhaps security technique is not a key objective of the sample - and I would understand that.

For security, I will be implementing authentication and authorization in the last chapter. As far as SQL injection goes, there will be validation added to the domain objects before they get saved to their respective repository, I just have not added any of it yet. I will probably use a combination of the validation application block and specifications to do that.

Great points!

Thanks,

Tim