Ticket T1054371

Visible to All Users

Q359904: How to modify objects/properties in code when the user does not have the permission seems to not work.

gat

created 3 years ago (modified 3 years ago)

Hello
I'm referring to the Q359904.
My question is concerning the behavior of the method directBaseUow_BeforeCommitTransaction of MySecuredObjectSpaceProvider when only the PayCard object is allowed (the PayCardUsage is not accessible).

Can you confirm that, despite we are operating within a non secured session, when you are saving an instance of the PayCard object then the result calculated by the CalculatePayMoneyAmount will not include the values of the PayCardUsage that are denied by the the TypePermission?
The above is what appears to be to me when we configure the above permissions, the PaycardUsages collection owned by the PayCard always contains 0 elements even from within the directBaseUow_BeforeCommitTransaction method.

BTW: I modified the original example just changing the permissions for the user role. Please execute the example, modify the current PayCard object and save. You will see that the property PayMoneyAmount will be zero instead of the sum of PayCardUsage objects. In this case is seems there is a Criteria "1==0" set on the PayCardUsages property of the Paycard object that do not allows to the get right collection.
Infact, querying directly the PayCardUsage records is possible (this confirm that we are within a non Secure session) but is seems to the that the Criteria 1==0 was created (and not removed) by the SecuritySystem. Do you confirm that this criteria created by the securitySystem? Any way to detect and remove it?

Can you suggest a way of keeping the suggested method (directBaseUow_BeforeCommitTransaction) but be sure that the PayMoneyAmount property of the PayCard object will for sure be updated with the right Sum regardless the permissions set on the PayCardUsage object?

Many thanks for your support.
D

CL1316.zip

Answers approved by DevExpress Support

Andrey K (DevExpress Support)

created 3 years ago (modified 3 years ago)

Hello,

Indeed, in this usage scenario, you can't get values from the PayCard.PayCardUsages collection as XAF doesn't load it. To change this behavior, use one of the following ways:

set the SecurityStrategy.AssociationPermissionsMode property to 'Auto'
manually load the required objects in the directBaseUow_BeforeCommitTransaction method. For example:

C#
void directBaseUow_BeforeCommitTransaction(object sender, SessionManipulationEventArgs e)
    {
        List<PayCard> cardsToUpdate = new List<PayCard>();
        foreach (System.Object item in e.Session.GetObjectsToSave()) {

            if (item is PayCard) {
                if (!cardsToUpdate.Contains((PayCard)item)){
                    cardsToUpdate.Add((PayCard)item);
                }
            } else if (item is PayCardUsage) {
                PayCardUsage payCardUsage = (PayCardUsage)item;
                if (payCardUsage.PayCard != null && !cardsToUpdate.Contains(payCardUsage.PayCard)) {
                    cardsToUpdate.Add(payCardUsage.PayCard);
                }
            }
        }
        var lst = new XPCollection<PayCardUsage>(e.Session).ToList();
        foreach (PayCard payCard in cardsToUpdate) {
            payCard.CalculatePayMoneyAmount(true);
        }
    }

Please note that we posted the solution from Q359904 (and the current one) as is and it may have limitations. Thoroughly test all use cases and scenarios. If you find some limitations, you will need to research and debug our source code to get the desired result.

Please also note that a simpler way is to create a non-secured IObjectSpace and work with secured data using it. You can see this solution at point 1 in Q359904 - SecurityStrategyComplex: How to modify objects/properties in code when the user does not have the permission?. Please consider using this solution instead of the BeforeCommitTransaction event.

Thanks,
Andrey

Show previous comments (7)

gat 3 years ago

Hi Andrey,
Thanks for the suggestion.
Since I cannot set the SecurityStrategy.AssociationPermissionsMode property to 'Auto' (I want to deny the access to PayCardUsage from within secured Sessions) and I need to manage the modifications within the same transaction, may I ask if you see any side effect in making empty the Criteria of the PayCardUsage collection instead of loading it within a new variable?
I'm asking this because I would like to create an "automatic" way of just resetting the criteria of all the association members when I'm within an unsecured session. Otherwise I need to change lot of code to check one by one all the association that are used in code and load them explicitly.

Anyhow I have I question. In your code, what is the effect of the following instruction? lst is never used…

C#
var lst = new XPCollection<PayCardUsage>(e.Session).ToList();

Thanks in advance for your suggestions.
D

gat 3 years ago

Hi Again,
I did some additional tests even trying setting the SecurityStrategy.AssociationPermissionsMode property to 'Auto'.
The point is that the collections of the objects arriving in the non Secure Session are still filtered by any permission that is set in the security system and I would like to avoid it just having the possibility of accessing to an "unfiltered" versions of the objects within the same transaction.
For your convenience I'm attaching a modified version of the original example. In this one you find that the AssociationPermissionMode is Auto but there is an objectPermission on the PayCardUsage.
Again in this case the PayCardUsages collection is still filtered by the SecuritySystem even in the non secured transaction.
Please could you kindly suggest me how to avoid this?
Many thanks in advance
D

CL1316.zip

Andrey K (DevExpress Support) 3 years ago

Hello,

Indeed, if there are explicit Deny permissions, the Security System doesn't grant access to associated objects. You can learn more about how the Security System works with associations here: Permissions for Associated Objects.

To load these objects in your usage scenario, use the solution that I posted above:

C#
var lst = new XPCollection<PayCardUsage>(e.Session).ToList();

This code loads objects from a database, and as a result, the code that uses the PayCard.PayCardUsages collection can calculate the correct value. Please note that we didn't test this solution in all usage scenarios, so please thoroughly test it before using it in production.

I would also like to remind you that a simpler and more reliable solution for such tasks is to use a non-secured IObjectSpace. Did you try applying it? If so, what difficulties did you encounter?

Thanks,
Andrey

gat 3 years ago

Hi Andrey
Thanks for the answer, I would like to ask for some additional clarifications.

"Indeed, if there are explicit Deny permissions, the Security System doesn't grant access to associated objects. You can learn more about how the Security System works with associations here: Permissions for Associated Objects"
I know this and this is the reason why I want to calculate the value from a Non Secure session that is within the directBaseUow_BeforeCommitTransaction. Do you mean that also this session is affected by the operations performed by the securitySystem? If yes, can you please suggest how to get an "non secured" session?

"This code loads objects from a database, and as a result, the code that uses the PayCard.PayCardUsages collection can calculate the correct value. Please note that we didn't test this solution in all usage scenarios, so please thoroughly test it before using it in production."
Sorry, this is not clear to me. If I look in the debugger, I see that from within the directBaseUow_BeforeCommitTransaction method the PayCardUsage list member of the PayCard object has a Criteria equal to the criteria I set in the ObjectPermission. This is the reason why I cannot access any record even if I think to be within a non secured session.
You suggest to load a collection within a variable (lst) that is never used in your code:

C#
var lst = new XPCollection<PayCardUsage>(e.Session).ToList();
        foreach (PayCard payCard in cardsToUpdate) {
            payCard.CalculatePayMoneyAmount(true);
        }

May I ask why the loading performed above also affect the payCard.PayCardUsage member that, as I mentioned before, is still Filtered with a "Criteria" expression?

"I would also like to remind you that a simpler and more reliable solution for such tasks is to use a non-secured IObjectSpace. Did you try applying it? If so, what difficulties did you encounter?
The example provided was extracted from a more complex use case in which the PayCard objects needs to be edited by the user within a web app in which we use permissions. According to my tests, if I use a non-secured objectSpace then I'm not able to access any kind of changes that are performed to the payCard objects that are not yet saved to the database, this is the reason why I would like to perform the logic within the same transaction but in a non secure session… Am I correct?

Thanks
D
D

gat 3 years ago

Hi Andrey,
I investigated more your suggestion

C#
var lst = new XPCollection<PayCardUsage>(e.Session).ToList();
        foreach (PayCard payCard in cardsToUpdate) {
            payCard.CalculatePayMoneyAmount(true);
        }

and I'm confused.
I would like to underline that in the test project there is a single Deny ObjectPermission that is:

C#
userRole.AddObjectPermissionFromLambda<PayCardUsage>(SecurityOperations.FullObjectAccess, o=>o.PayMoney==1000, SecurityPermissionState.Deny);

In the original example (without the var lst==… row) with the debugger I see (in the foreach) that on the payCard.PayCardUsages collection there is a Criteria set that is exactly equal to the criteria I put in the object permission ({Not [PayMoney] = 1000.0m}). According to this I supposed that the collection is empty due to the criteria and then I asked why within a non secured session I still have the collections affected by the security permissions.

Then, according to your suggestion, I added the row:
var lst = new XPCollection<PayCardUsage>(e.Session).ToList();
Now what I see is:

when the row is executed then the system loads from the database all the PayCardUsage records regardless of which Paycard needs to be updated (this could be a performance problem within a real environment).
The ({Not [PayMoney] = 1000.0m}) criteria is still on the payCard.PayCardUsages collection but now the collection is populated with records that do not match the original criteria… Is this expected? If yes, could you kindly explain me why?

Thanks
D

Andrey K (DevExpress Support) 3 years ago

Hello,

Do you mean that also this session is affected by the operations performed by the securitySystem? If yes, can you please suggest how to get an "non secured" session?

The Session instance that you get in the BeforeCommitTransaction event handler is 'unsecured' and you can get any data from a database using it.

May I ask why the loading performed above also affect the payCard.PayCardUsage member that, as I mentioned before, is still Filtered with a "Criteria" expression?

Creating a separate XPCollection (the 'lst' variable) loads data from a database. As a result, the PayCard class can access this data in the CalculatePayMoneyAmount method.

when the row is executed then the system loads from the database all the PayCardUsage records regardless of which Paycard needs to be updated (this could be a performance problem within a real environment).

If you don't wish to load all PayCardUsage objects from a database, use a corresponding XPCollection overload that allows you to pass a criterion. For example: XPCollection(Session, CriteriaOperator, SortProperty[]) Constructor.
Loading data from a database doesn't change the Criteria property of the PayCard.PayCardUsages collection. Please modify this solution further to address your business needs.

According to my tests, if I use a non-secured objectSpace then I'm not able to access any kind of changes that are performed to the payCard objects that are not yet saved to the database, this is the reason why I would like to perform the logic within the same transaction but in a non secure session… Am I correct?

You are right. A non-secured object space can't access not-saved objects. Note, however, that using a non-secured object space is a much more reliable way to work with secured data, so consider rewriting your logic so that it doesn't require to work with not-saved objects. If you prefer to stay with the BeforeCommitTransaction event, research our source to learn how exactly it works and how you can extend it to meet your requirements. The following article may help you debug a working application: KA18843 - How can I debug DevExpress .NET source code using PDB files | DevExpress Support.

Thanks,
Andrey

gat 3 years ago

Thanks Andrey,
You answered almost all my question except, could you please give me your opinion on:

"The ({Not [PayMoney] = 1000.0m}) criteria is still on the payCard.PayCardUsages collection but now the collection is populated with records that do not match the original criteria… Is this expected? If yes, could you kindly explain me why?"

At the end: explicitly loading the collections (like you did with the "lst" variable) may leads in loosing not-saved objects so I think that I cannot use it. I also think that it would be useful to update the original Q359904 making clear that the collections of the object available in the "non secured" session are also "filtered" according to possible permissions and for this reason cannot be used in a way of processing them "in the same transaction" but an explicit reload is required.

According to my understanding, and please correct me if I'm wrong, there is not any possibility of doing a processing method (that may result also in not saving the changes) on the payCard.PayCardUsages collection in which we can take in consideration both some new PayCardUsage record that are created but not yet saved and any other PayCardUsage that are already in the database but are denied due to some kind of permissions. Is this consideration correct?

Thanks
D

Andrey K (DevExpress Support) 3 years ago

Hello,

"The ({Not [PayMoney] = 1000.0m}) criteria is still on the payCard.PayCardUsages collection but now the collection is populated with records that do not match the original criteria… Is this expected? If yes, could you kindly explain me why?"

Yes, this behavior is expected. When an app loads XPCollection<PayCardUsage>, it adds each PayCardUsage object to all related associated collections. You can refer to our source code to learn more about how exactly this happens.

At the end: explicitly loading the collections (like you did with the "lst" variable) may leads in loosing not-saved objects so I think that I cannot use it.

Would you please modify the example that you used before to demonstrate this behavior?

According to my understanding, and please correct me if I'm wrong, there is not any possibility of doing a processing method (that may result also in not saving the changes) on the payCard.PayCardUsages collection in which we can take in consideration both some new PayCardUsage record that are created but not yet saved and any other PayCardUsage that are already in the database but are denied due to some kind of permissions. Is this consideration correct?

I wasn't able to reproduce this behavior. Would you please modify your example so that it uses my code and shows the problematic behavior in action? It will help us better describe limitations of the solution that we suggested in Q359904.

We look forward to your response.

Thanks,
Andrey

gat 3 years ago

Hello Andrey,
Sorry for being late but I was out.
Despite this was not clear to me, I think that this is also not reported in the documentation, your answer:
"Yes, this behavior is expected. When an app loads XPCollection<PayCardUsage>, it adds each PayCardUsage object to all related associated collections. You can refer to our source code to learn more about how exactly this happens."
clarified to me the overall behavior. For this reason I think that the newly loaded objects will be added to the collection without losing the not-saved objects.

I have a last question: could you please tell me how to force "reloading" all related associated collections of an object without using an external call?
I mean something like:

C#
payCard.Reload()

Thanks in advance.
D

Andrey K (DevExpress Support) 3 years ago

Hello,

I created a separate ticket on your behalf: T1057333: How to reload all related associated collections. We placed it in our processing queue and will process it shortly.

Thanks,
Andrye

Created: December 20, 2021 12:54 PM

Modified: January 5, 2022 8:47 AM

Platform: App Frameworks (UI, API, ORM)

Product: XAF - Specify UI Platform

Build: 21.1.7

Disclaimer: The information provided on DevExpress.com and affiliated web properties (including the DevExpress Support Center) is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.

Confidential Information: Developer Express Inc does not wish to receive, will not act to procure, nor will it solicit, confidential or proprietary materials and information from you through the DevExpress Support Center or its web properties. Any and all materials or information divulged during chats, email communications, online discussions, Support Center tickets, or made available to Developer Express Inc in any manner will be deemed NOT to be confidential by Developer Express Inc. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.

Q359904: How to modify objects/properties in code when the user does not have the permission seems to not work.

Answers approved by DevExpress Support

Recently viewed tickets