This example demonstrates how to use the new security system to implement the subject:
- Users (Joe, John) can view and edit their own tasks, but cannot delete them or create new ones. They also have readonly access to tasks, employees and other data of their own department.
- Managers (Sam, Mary) can fully manage (CRUD) their own department, its employees and tasks. However, they cannot access data from other departments.
- Administrators (Admin) can do everything within the application.
All users have empty passwords by default. You can see how it works in action at http://www.screencast.com/t/TBKEiCEfxc (or you can run functional tests in the MainDemo.EasyTests folder).
To do this:
1.Permissions at the type and object level (with a criteria) are configured in the MainDemo.Module/DatabaseUpdate/Updater file.
Take special note that for building a complex criteria against associated objects, the JoinOperand together with the built-in CurrentUserId and IsCurrentUserInRole criteria functions.
For greater convenience, strongly typed criteria for permissions are accompanied with their string representation.
2. The SecuredObjectSpaceProvider is used in the CreateDefaultObjectSpaceProvider method of the XafApplication descendants located in the WinForms and ASP.NET projects.
3. The Department, Employee and EmployeeTask classes are implemented in the MainDemo.Module/BusinessObjects folder.
To quickly understand relationships between involved business classes, their class diagram is attached.
IMPORTANT NOTES
1. Be aware of the issue described in the Security - The "Entering state 'GetObjectsNonReenterant'" error may occur while saving data if a permission criteria involves a collection property thread.
2.The State of the New Security System
Example Comments
Added By: Raoulw at: 2/11/2013 5:02:04 PM
This is a great sample. There is one error, or it is not clear in the description. 'Users (Joe, John) can do everything with their own tasks and can also view data of their own department;' implies that Joe has read only access to Mary's tasks, which is not true. The code below fixes that.
Raoul.
SecuritySystemObjectPermissionsObject canSeeTasksOnlyFromOwnDepartmentObjectPermission = ObjectSpace.CreateObject<SecuritySystemObjectPermissionsObject>();
//canSeeTasksOnlyFromOwnDepartmentObjectPermission.Criteria = "AssignedTo.Department.Oid=[<Employee>][Oid=CurrentUserId()].Single(Department.Oid)";
canSeeTasksOnlyFromOwnDepartmentObjectPermission.Criteria = new BinaryOperator(new OperandProperty("AssignedTo.Department.Oid"), joinEmployees, BinaryOperatorType.Equal).ToString();
canSeeTasksOnlyFromOwnDepartmentObjectPermission.AllowNavigate = true;
canSeeTasksOnlyFromOwnDepartmentObjectPermission.AllowRead = true;
canSeeTasksOnlyFromOwnDepartmentObjectPermission.AllowWrite = false;
canSeeTasksOnlyFromOwnDepartmentObjectPermission.AllowDelete = false;
canSeeTasksOnlyFromOwnDepartmentObjectPermission.Save();
employeeTaskPermissions.ObjectPermissions.Add(canSeeTasksOnlyFromOwnDepartmentObjectPermission);
Thanks for your update, Raoul!