Entity Framework (and other ORMs) are simplifying correspondence with relational databases, saving us from having to type enormous amounts of code. Still, we should not feel too confident about simplification offered by ORMs - not least relax about security.
In this demonstration, you will see one common pitfall where custom code is delegating all database-related work to Entity Framework, forgetting to constrain queries to only access objects to which authenticated user possesses permission. In the rest of the demonstration, we shall come to one coding pattern which ensures that every call into Entity Framework will always be secure out of the box.
This content was first displayed in a live coding demo at https://youtu.be/Hpazn6WlfoQ
The brushed-up version was presented as a 45-minute talk at Sinergija conference (Belgrade, November 2020). In Serbian, with no recording (as far as I was informed).
There is also a 60-minute version of this talk prepared, which was never presented. If this talk is accepted, it would therefore be the third, improved version of the example.
Zoran is Principal consultant at Coding Helmet Consultancy, speaker and author of 100+ articles, and independent trainer on .NET technology stack. He can often be found speaking at conferences and user groups, promoting object-oriented development style and clean coding practices and techniques that improve longevity of complex business applications.