70-340, Role Based Security question



Hello all,

I was reading Tony Northrups book for 70-340/330, p. 5-22 about declarative
RBS demands.

Here is sample code that I'm concerned with:

[PrincipalPermission(SecurityAction.Demand, Name =
@"CONTOSO\Administrators")]
[PrincipalPermission(SecurityAction.Demand, Name = @"CONTOSO\User1", Role =
@"CONTOSO\Managers")]
[PrincipalPermission(SecurityAction.Demand, Authenticated = true)]
private void AdminOnlyMethod()
{
// only Administrators can run this code
}

The book states (summarized): The following code allows any of the following
to run the method - 1) Members of the local Administrators group, 2) User
named CONTOSO\User1 who is a member of CONTOSO\Managers group, 3) Any
authenticated user.

My question is that the comment in the method "//only Administrators can run
this code" seems to contradict who can run the code based on those 3
conditions above.

If "User1" logs in, he can run the AdminOnlyMethod() method correct?
Additionally, if "UserX" logs in, who is an authenticated user of "Sales"
logs in, he can run the method also - because of the last
PrincipalPermission attribute?

Thanks for any insight on that,
Ron


.