Hello all DevExpress devs! =)
I am attempting to tame Express Persistent Objects remotely.
Really, XPO enables two different approaches - being able to access the database directly, and thru WebService/WCF.
For security reasons, we have selected second item. Now, WCF systems database access, and clients must authenticate themselves to be able to access the database.
The program is really a Document Management System. Therefore, its primary database tables (classes inherited from XpObject) are "Documents" and "Customers". We have additional table (XPO class), "DocumentUserAccess", which binds Customers and Documents together though associations. Clients retrieve data though XPCollections.
Despite the fact that clients must authenticate now, we should restrict their use of some Documents (while managers should get access to all Documents).
The webservice part consists of the next code to make remote XPO access possible:
Private Function Common_IDataStoreContract_ModifyData(ByVal ParamArray dmlStatements As ModificationStatement()) As ModificationResult Implements IDataStoreContract.ModifyData Return wrappedDataStore.ModifyData(dmlStatements) End Function Private Function Common_IDataStoreContract_SelectData(ByVal ParamArray selects As SelectStatement()) As SelectedData Implements IDataStoreContract.SelectData Dim data As SelectedData = wrappedDataStore.SelectData(selects) Return data End Function
And it is really simple to limit use of some TABLES:
For Each statement In dmlStatements If Not UserCanAccessTable(OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.Name, statement.TableName) Then Throw New Security.SecurityAccessDeniedException("You aren't allowed to modify this table.") End If Next
BUT, we can not learn how to limit use of some ROWS.
As seen above, all criterias, along with other parameters of client request are available in claims (DevExpress.XPO.DB.ModificationStatement class).
Simultaneously, how you can check whether user demands a particular document? Clients may use different criterias for fetching Documents, not just OID's and Names. For instance, client can request assortment of documents according to time frame.
So, before the database request has performed, we can not discover which rows client will get or modify, and that we can't check whether individuals rows are available to him.
Any help could be MUCH appreciated.