1

I have the following web service:

[DataContract]
public class Project
{
    public long Id { get; set; }
    public string Name { get; set; }
}

[OperationContract]
public Project GetProject(long Id);

Now I want to add a SecretData property that should only be exposed to certain users. I've come up with several ideas, but none of them sit quite well with me:

  1. Add a nullable SecretData property to Project. If the user doesn't have permission to view it, set it to null. This seems like the simplest approach, but how would a consumer tell the difference between a "no permission" null and a legitimate null value?
  2. Solution 1, but also add a boolean CanViewSecretData property. This addresses the legitimate null problem, but seems cumbersome.
  3. Provide a separate operation SecretDataType GetSecretData(long projectId) to retrieve the secret data, and return an error if the user does not have permission to call it. This keeps the data contract clean, but I see us ending up with lots of separate operations that need to be called in order to construct a full object.

Is there a better approach out there?

Annabelle
  • 10,596
  • 5
  • 27
  • 26

1 Answers1

2

I've got no idea what framework you are using, but from a general web services perspective here is what I suggest. In the XSD for Project, add an optional SecretData element to Project. When the user is not permitted to read SecretData, do not include the element in the response. Otherwise, include the element and when SecretData is null set the xsi:nil attribute to true.

Tom Howard
  • 6,516
  • 35
  • 58