Current filter:
                                You should refresh the page.
                                  • Hi,
                                    I am testing XAF in order to use it in commercial project and like it and its superb support as well :) Although I am facing to issue which is very close to something which may be called "Data level security".
                                    My application is quite simple and contain entities related to generic commercial company structure:
                                    -- Company
                                             |-------Employee (can be related to itself through "Manager" property)
                                    If I introduced these two classes in XAF it generates list views and details views for them and it works ok.
                                    Issue is that I want to relate every company to logged super user which will manage company structure (create employees and managers). Since there will be many companies managed by their super users in database, I would like every super user to view and manage only his company details - neither details of every company nor employees and managers from different company.
                                    This requires either many security features to be implemented throughout whole application (filter list views, prevent company entity detail views from loading, filter combos in employee details views, etc.) OR implement data level security by "injection" as mentioned here - http://www.devexpress.com/Support/Center/p/S30538.aspx?searchtext=security+xafcore&p=T4|P0|54.
                                    Just my note to "injection" - to implement data level security, mentioned suggestion (injection) should support these two things in order to support "my" scenario:
                                    - have possibility to filter any data coming from underlying data source before they were fetched.
                                    - know what data were requested from underlying data source (in order to implement data level security by adding another filter criteria to existing one).
                                    My questions are:
                                    - Do you have some alternative idea how to implement mentioned behavior in current version? I am afraid that filter database data BEFORE they are fetched REGARDLESS which application part requested them, is impossible task with XAF.
                                    - When do you think you can release that "injection" or other feature which can enable developers to implement data level security?
                                    Looking forward for you answers.

                                • Marina (DevExpress Support) 05.28.2009

                                  Hi,
                                  Thank you for the questions. Unfortunately, I can't provide a time frame when the suggestion ID: S30538 will be implemented. Our developers plan to implement this feature, but I'm afraid not this year.
                                  As for the current workaround, you should create the ViewController for every business class, which objects should belong only to one company. In every such ViewController, apply filter when activating the controller:
                                  override OnActivated {
                                    View.CollectionSource.Criteria["ByCompany", new BinaryOperator("ReferenceToCompanyMember", ((MyUser)SecuritySystem.CurrentUser).Company)];
                                  }
                                  These controllers allow you to apply filter to any ListView (root, nested or lookup). Also, see the following suggestion: XCRM.Security - Add the capability to protect information depending on the current user's company or department
                                  Thank you, Marina

                                • Zed 05.28.2009

                                  Hi,
                                  thanks for answer.
                                  Can you please give me more details to workaround with ViewControllers?
                                  - how to create ViewController for each business entity as it can intercept calls for list views and details views for that entity?
                                  - View.CollectionSource can be filtered by Criteria property *after* it will be populated by all data from database, right?
                                  - how to filter one combobox in detail view (Manager property within Employee edit view should list only employees which current employee belongs to)?
                                  And one more question to XAF itself - do you provide XAF with source code? If so, do you have any recommendation how "injection" should be implemented?
                                  Many thanks.
                                  Regards.

                                • Marina (DevExpress Support) 05.29.2009

                                  Hi,
                                  Here are answers to your questions:
                                  >- how to create ViewController for each business entity as it can intercept calls for list views and details views for that entity?
                                  You can use the following code:

                                    
                                  public class CompanySecurityViewController : ViewController {  
                                    public CompanySecurityViewController() {  
                                      TargetType = typeof(MyEmployee);  
                                      TargetViewType = ViewType.ListView.  
                                    }  
                                    protected override OnActivated() {  
                                    View.CollectionSource.Criteria["ByCompany", new BinaryOperator("Company", ((MyUser)SecuritySystem.CurrentUser).Company)];  
                                    }  
                                  }  
                                    
                                  

                                  There is no possibility to apply this filter to DetailViews, as well as to Reports and Analysis modules, because these modules don't create controllers at all.
                                  >- View.CollectionSource can be filtered by Criteria property *after* it will be populated by all data from database, right?
                                  No. The OnActivated method should be called prior to loading a CollectionSource.
                                  >- how to filter one combobox in detail view (Manager property within Employee edit view should list only employees which current employee belongs to)?
                                  Use the DataSourceCriteria or DataSourceProperty attributes.
                                  >And one more question to XAF itself - do you provide XAF with source code? If so, do you have any recommendation how "injection" should be implemented?
                                  We don't have any piece of advice on how to implement this sort of security, because we didn't do any research in this regard. We have created a suggestion. This task can be accomplised on the fly.
                                  Thank you, Marina

                                0 Solutions

                                Creation Date Importance Sort by