I often find that there's a need to do authorization not just based on the user's roles (permissions), but also based on some state in the object itself. A common scenario is only the creator of a particular object can edit it (but they can be viewed by all). Or a property value should only be allowed to be changed if the Status property is a certain value.
The Target property of the AuthorizationContext would seem to allow access to any object state, but I want to verify if that is the proper way to access the state or not.
I found a thread from a while back that discussed sending input property values into authorization rules, and also allowing the rule to specify if its result may be cached, but nothing seems to have come of those.
Any suggestions (which ideally don't involve overriding CanWriteProperty)?