Scenario:
Our Security System allows hiding navigation items for certain users by setting the Type Permission's Navigate access. Since with this approach, the Navigate access can be granted only for a certain type, the following scenarios are not supported:
1. It is necessary to hide a DashboardView.
2. There are several navigation items for a certain type, and it is required to hide a part of them.
3. It is necessary to hide a navigation item that is not associated with a certain View (e.g., a navigation group).
This article demonstrates how to extend the security role class with the HiddenNavigationItems property allowing hiding navigation items by their ID.
Steps to implement:
1. Implement a custom permission type - NavigationItemPermission - that can be used to check access permissions for a certain navigation item by its ID.
2. Implement a custom permission request - NavigationItemPermissionRequest - that will be sent to check whether the current user has access to a certain navigation item.
3. Implement a custom permission request processor - NavigationItemPermissionRequestProcessor - that determines whether the current user has permissions for the received permission request.
4. Register the permission request processor in the application by handling the SecurityStrategy.CustomizeRequestProcessors event in the Program.cs and Global.asax.cs files.
5. Implement a custom role with the HiddenNavigationItems property. Override the role's GetPermissionsCore method to create NavigationPermission instances based on the value of the HiddenNavigationItems property.
6. Specify the custom role in the Security System's RoleType property in the Application Designer, as described in the How to: Implement Custom Security Objects (Users, Roles, Operation Permissions) topic.
7. Implement a ShowNavigationItemController's descendant - CustomShowNavigationItemController - and override its SynchItemWithSecurity method to deactivate navigation items prohibited by the CustomSecurityRole.HiddenNavigationItems property.
After implementing these steps in your project, you will be able to assign a role with the HiddenNavigationItems property to the required users to restrict their access to certain navigation items.
Question Comments
Added By: Maurice Picton at: 6/10/2014 7:52:32 AM
Can someone post the HideNavigationItemsExample that is mentioned below in the code?
I'm having trouble implementing this solution.
In the steps to implement, none of the entities you describe are in any of the documentation and I can't locate them in visual studio.
Added By: Anatol (DevExpress Support) at: 6/10/2014 8:07:44 AM These classes are implemented in this example. You can see their code below, under the comments. To download the complete example, use the Downloads - Example link at the right edge of this page.Added By: Randy Jean at: 2/13/2015 11:15:42 AMIs there a way to make this be least restriction has precedence. For instance, if I have a users role that hides navigation items and a direct role that does not hide, can the director role take precedence over the user role somehow?
Added By: Randy Jean at: 2/13/2015 11:33:21 AMthink I may have come up with a way to make this work. If I add a wildcard * to my HiddenNavigationItem then modify the IsGranted like so:
public override bool IsGranted(NavigationItemPermissionRequest permissionRequest) {
foreach (NavigationItemPermission permission in permissions.GetPermissions<NavigationItemPermission>()) {
if (permission.HiddenNavigationItem == permissionRequest.NavigationItem) {
return false;
} else if (permission.HiddenNavigationItem.Replace("*","") == permissionRequest.NavigationItem) {
return true;
}
}
return true;
}
This seems to do what I want. So I can have user with the restrictions but then override in Director with the wildcard character like this: AddressGroup*, Person_Varied*
Do you see any issues with this?
Added By: Anatol (DevExpress Support) at: 2/16/2015 6:16:18 AMI am not sure that this approach will work in all cases, since the GetPermissions method returns permissions from all user roles, and with your implementation the first permission always wins. So, it is better to set a boolean variable based on the permission's HiddenNavigationItem property and return this value after processing all NavigationItemPermission permissions.
Added By: Genesis Supsup 1 at: 8/7/2016 12:48:08 PM This example doesn't seem to work anymore on when using PermissionPolicyRoleBase in version 16.1+ ... any workaround?