Quantcast
Channel: XAF Team Blog
Viewing all articles
Browse latest Browse all 148

XAF - Permissions for UI Actions and Security System for non-XAF Apps Powered by Entity Framework Core 3 (v20.1)

$
0
0

Security Permissions for Actions (CTP)

This new XAF security layer allows developers to prohibit execution of both custom and XAF system Actions within WinForms and ASP.NET applications.
First, a word or two about Actions – XAF Actions represent UI commands within an application. These include a broad range of UI commands – from menu items and Ribbon commands, to navigation links. To demonstrate how XAF developers can institute fine-grain control over user roles and hide or deactivate UI Actions as needed, we recently published the following YouTube video:

To enable this feature, set the static EnableSecurityForActions property to True. To add custom Actions or remove system Actions available in the Denied Actions tab, handle the NonSecureActionsInitializing event.

Note that Action permissions will hide Actions unconditionally: we don't expect to interfere with Conditional AppearanceState MachineTargetObjectsCriteriaMode or any custom rules that are driven by criteria or object/UI changes within Controllers. If you require dynamic functionality for Actions, use these specific methods and built-in criteria functions such as IsCurrentUserInRole and CurrentUserId.

Security System for Entity Framework Core (CTP)

Our goal is to help DevExpress and non-DevExpress customers benefit from XAF's Security System and Entity Framework Core. In v20.1, we've added a secured Object Space (a DbContext wrapper) for EF Core 3.1+ and demonstrated its use for basic CRUD operations in Console and WinForms applications. This functionality mirrors our XPO ORM implementation. This feature is currently available as a community tech preview, so we welcome your feedback.

If are not familiar with XAF's security system, the following GitHub repo offers an overview of its architecture and its key features: User Authentication and Group Authorization .NET API.

Three main steps to integrate XAF's User Authentication and Group Authorization API using EF Core data access are shown below:

Similar code will work in any client or server .NET Core app, (including Blazor Server). Note that primary protection takes place at the data store level - secured record fields get 'null' values or whole records are filtered out internally if role permissions deny access. 

You can also use CanRead or other CanXXX methods to mask secured fields or modify the UI further (in the following image departments are masked with 'Protected Content' when title does not contain the word 'Development').

Security System - New Learning Materials


Viewing all articles
Browse latest Browse all 148

Trending Articles