Hello all DevExpress devs! =)

I am attempting to tame Express Persistent Objects remotely.

Really, XPO enables two different approaches - being able to access the database directly, and thru WebService/WCF.

For security reasons, we have selected second item. Now, WCF systems database access, and clients must authenticate themselves to be able to access the database.

The program is really a Document Management System. Therefore, its primary database tables (classes inherited from XpObject) are "Documents" and "Customers". We have additional table (XPO class), "DocumentUserAccess", which binds Customers and Documents together though associations. Clients retrieve data though XPCollections.

Despite the fact that clients must authenticate now, we should restrict their use of some Documents (while managers should get access to all Documents).

The webservice part consists of the next code to make remote XPO access possible:

   Private Function Common_IDataStoreContract_ModifyData(ByVal ParamArray dmlStatements As ModificationStatement()) As ModificationResult Implements IDataStoreContract.ModifyData

        Return wrappedDataStore.ModifyData(dmlStatements)

    End Function

    Private Function Common_IDataStoreContract_SelectData(ByVal ParamArray selects As SelectStatement()) As SelectedData Implements IDataStoreContract.SelectData

        Dim data As SelectedData = wrappedDataStore.SelectData(selects)
        Return data

    End Function

And it is really simple to limit use of some TABLES:

 For Each statement In dmlStatements

        If Not UserCanAccessTable(OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.Name, statement.TableName) Then
            Throw New Security.SecurityAccessDeniedException("You aren't allowed to modify this table.")
        End If


BUT, we can not learn how to limit use of some ROWS.

As seen above, all criterias, along with other parameters of client request are available in claims (DevExpress.XPO.DB.ModificationStatement class).

Simultaneously, how you can check whether user demands a particular document? Clients may use different criterias for fetching Documents, not just OID's and Names. For instance, client can request assortment of documents according to time frame.

So, before the database request has performed, we can not discover which rows client will get or modify, and that we can't check whether individuals rows are available to him.

Any help could be MUCH appreciated.

Thanks, John

So far as we all know, the response to now you ask , published at: