BuyLog In
Breaking Change T898638
Visible to All Users

Security - New validation and appearance rules for PermissionPolicyUser and PermissionPolicyRole

What Changed

  1. We added validation rules to prevent deletion of the last active administrator and the last administrative role with active users.
  2. We added appearance rules to disable the Can Edit Model, Permission Policy, Type Permissions, Navigations Permissions, and Denied Actions editors if the IsAdministrative property is set to true.

Reasons for Change

  1. Validation rules proactively prevent situations when apps are left without active administrators. This helps developers reduce support calls from end-users in already deployed apps.
  2. Appearance rules proactively prevent situations when developers or end-users mistakenly add permissions for the Administrative role (when IsAdministrative = True permissions have no effect). This helps developers reduce support calls from end-users in already deployed apps.

Impact on Existing Apps

  1. Apps will show validation errors when end-users try to create, update, or delete security users or roles so that no active administrators are left. To avoid these validation errors, create at least one active security user with administrative permissions (IsAdministrative = True).
    To have the same protection in XAF versions older than v20.1.5, add custom validation rules as described in this KB article.
  2. Almost all editors will be disabled in the role detail view if the IsAdministrative property is set to true. This will happen only in applications that use the Conditional Appearance module.
    To improve UX, we added ToolTip to the IsAdministrative property.

How to Revert to Previous Behavior

1. In the Model Editor, expand the Validation | Rules node and remove the following validation rules:

XPO

  • PermissionPolicyUser_XPO_Prevent_remove_last_admin_user
  • PermissionPolicyUser_XPO_Prevent_change_last_admin_user
  • PermissionPolicyUser_XPO_Prevent_delete_last_admin_role
  • PermissionPolicyRole_XPO_Prevent_change_last_admin_role

EF6

  • PermissionPolicyUser_EF_Prevent_remove_last_admin_user
  • PermissionPolicyUser_EF_Prevent_change_last_admin_user
  • PermissionPolicyUser_EF_Prevent_delete_last_admin_role
  • PermissionPolicyRole_EF_Prevent_change_last_admin_role

2. In the Model Editor, expand the BOModel | DevExpress | Persistent | PermissionPolicy | PermissionPolicyRoleBase | AppearanceRules node and remove the following appearance rules:

XPO

  • XPOActionPermissionsIsAdministrative
  • XPOCanEditModelIsAdministrative
  • XPONavigationPermissionsIsAdministrative
  • XPOPermissionPolicyIsAdministrative
  • XPOTypePermissionsIsAdministrative

EF6

  • EFActionPermissionsIsAdministrative
  • EFCanEditModelIsAdministrative
  • EFNavigationPermissionsIsAdministrative
  • EFPermissionPolicyIsAdministrative
  • EFTypePermissionsIsAdministrative

Disclaimer: The information provided on DevExpress.com and affiliated web properties (including the DevExpress Support Center) is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.

Confidential Information: Developer Express Inc does not wish to receive, will not act to procure, nor will it solicit, confidential or proprietary materials and information from you through the DevExpress Support Center or its web properties. Any and all materials or information divulged during chats, email communications, online discussions, Support Center tickets, or made available to Developer Express Inc in any manner will be deemed NOT to be confidential by Developer Express Inc. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.