Security approach for DevExpress XAF Application

0
votes

I am developing a Project Management type application using the DevEx eXpressApp Framework. I have been using it for a nearly a year now but am only just now getting around to using it's security model, and would like some help in defining an approach to implementing a requirement.

I have two classes: Project and Tasks. Project contains a child XPCollection (Property) of Tasks (named Tasks), such that I can type Project.Tasks.Add(Task t); All I need to be able to do is come up with a way to provide a user with the ability to see and edit specific Tasks within the Task Collection. As the Admin user, I need a way to "assign" User 1 to Tasks 1 and 3 of project P1 and Task 4 of Project P2. Then I would - for example - assign User 2 to Tasks 2 of project P1 and Tasks 1-3 of P2 There will be new projects all the time, so I need a flexible way of assigning/un-assigning users ad-hoc within the application.

  1. Project 1

    • Task 1 - User 1
    • Task 2 - User 2
    • Task 3 - User 1

  2. Project 2

    • Task 1 - User 2
    • Task 2 - User 2
    • Task 3 - User 2
    • Task 4 - User 1

When User 1 logs in and clicks on the Project 1 (in a ListandDetailView), they would see only the Tasks that they have been assigned to. Same is true for User 2. Neither user would see the entire set of Tasks for either Project.

I have created a dummy project and can only get to the point where each user sees all or none of the Tasks. I'm thinking that the Object Permissions (using Criteria) approach is the way to go but can't think of what criteria to use.

I am wide open to design suggestions as they relate to the security model. Roles/groups/new classes etc.

But please ignore any possible application design issues not mentioned here like "Dependencies between tasks, etc..." I have a very specific requirement.

Please help!

Additional random info in case it helps.

  1. What version of the software are you running? DevExpress 12.1 (vx2)
  2. What’s your operating system? Windows Server 2008
  3. What exactly are you trying to do that won’t work? Set up Security in application to Limit the ability of the logged in User to see specific items in a Child Collection of an object
  4. Is the problem uniform or erratic? Uniform
  5. What’s the exact error message? No error yet; so far, i have figured out how to show all items in the collection or none
  6. When did it arise? N/a
  7. What exactly don’t you “get”? How to configure the security model to achieve my requirement
  8. Can you provide sample code, ideally with line errors where the error occurs? Don't have any code yet; just selecting the various Read/Write/Navigate, etc... checkboxes.
1
securitydevexpressxaf

1 Answers

1
votes

You have two options

  • use the 'New' security documented here and use an 'Read' object permission (as you suggest) with criteria something like Task.User = CurrentUserId()
  • handle the filtering with ViewControllers using the method described here which has the advantage of working with the older (pre 11.2) security system as well.

The first method is preferable, but the second method gives you more control and might be better if your rules to determine 'ownership' of a task are too complex to describe via simple criteria.