Hello all DevExpress devs! =)
I'm trying to tame Express Persistent Objects remotely.
Actually, XPO allows two different approaches - accessing the database directly, and through WebService/WCF.
For security reasons, we've chosen second option. Now, WCF wraps database access, and clients must authenticate themselves in order to access the database.
The software is a Document Management System. Therefore, its main database tables (classes inherited from XpObject) are "Documents" and "Users". We also have additional table (XPO class), "DocumentUserAccess", which binds Users and Documents together though associations. Clients retrieve data though XPCollections.
Even though clients must authenticate now, we must restrict their access to some Documents (while administrators should have access to all Documents).
The webservice part contains the following code for making remote XPO access possible:
Private Function Common_IDataStoreContract_ModifyData(ByVal ParamArray dmlStatements As ModificationStatement()) As ModificationResult Implements IDataStoreContract.ModifyData
Return wrappedDataStore.ModifyData(dmlStatements)
End Function
Private Function Common_IDataStoreContract_SelectData(ByVal ParamArray selects As SelectStatement()) As SelectedData Implements IDataStoreContract.SelectData
Dim data As SelectedData = wrappedDataStore.SelectData(selects)
Return data
End Function
And it's quite easy to restrict access to some TABLES:
For Each statement In dmlStatements
If Not UserCanAccessTable(OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.Name, statement.TableName) Then
Throw New Security.SecurityAccessDeniedException("You aren't allowed to modify this table.")
End If
Next
BUT, we can't figure out how to limit access to some ROWS.
As seen above, all criterias, and other parameters of client request are accessible in statements (DevExpress.XPO.DB.ModificationStatement class).
At the same time, how to check whether user requests a specific document? Clients can use different criterias for fetching Documents, not only OID's and Names. For example, client can request collection of documents based on date range.
So, until the database request has executed, we can't find out which rows client will receive or modify, and we can't check whether those rows are accessible to him.
Any help would be MUCH appreciated.
Thank you, John