[DevExpress Support Team: CLONED FROM T721161: Non-XAF security system in multithread (multiuser) application (OData web)]
Finally, I prepared my proof-of-concept example. I have extended your XAF_how-to-implement-odata4-service-with-xpo example by security system features. Everything works as expected.
The only issue appears to be scenario, when http request contains the $select parameter explicitly mentioning property not allowed by security system for current user. In such a case an SQL exception is raised.
System.Data.SqlClient.SqlException (0x80131904): At least one of the result expressions in a CASE specification must be an expression other than the NULL constant.
Steps to reproduce:
- Run my example service
- Send request http://localhost:[port]/Customers?$select=CustomerID,CompanyName as user "userA" with password "userA".
Any idea how to provide client with a more convenient response once such a request is sent?
I would also appreciate your opinion and comments on my example API regarding the main concept and overall design.
Thanks a lot.