BuyLog In
Ticket Q570889
Visible to All Users

Security issue with saving object in Integrated Mode

created 11 years ago

Dear support,

In our application we want to implement the integrated security (by returning SecuredObjectSpaceProvider in CreateDefaultObjectSpaceProvider).
We get an exception while trying to save an object of type Auditing:

Saving the 'Auditing.AuditingState' property is prohibited by validation rules" .

The write permissions for Auditing are set up like that:
- No type permissions
- object permissions that grant write permission based on the AuditingState property

Its the same issue that a user had here (that ticket also has a sample project…):
Other support ticket

The solution there was to add a memberpermission:
"To solve this problem, add a member permission that grants Write access to the Topic.Replies property."

I have two issues with this solution:

  1. If I grant write permission to the member then that property will (obviously) not be write protected in the view afterwards.
  2. If I want to check permissions in code like that:
C#
SecuritySystem.IsGranted(new ClientPermissionRequest(typeof(Auditing), null, ObjectSpace.GetObjectHandle(theObject), "Write"))

it always evaluates to true because of this code in ServerPermissionRequestProcessor.cs:

C#
if(IsOperationGrantedByObjectPermissions(permissionRequest.TargetObject, permissionRequest.ExpressionEvaluatorProvider, permissionRequest.Operation)) {  
    return true;  
}  
if(IsAnyMemberPermissionGranted(targetType, permissionRequest.Operation)) {  
    return true; // PROBLEM  
}

Is there any solution for this issue?

Thank you!

Comments (2)
DevExpress Support Team 11 years ago

    Hello Bernd,
    It seems that you have configured permissions incorrectly. Would you please send us a simple sample where this issue is reproducible? We will be happy to help you.
    >>If I grant write permission to the member then that property will (obviously) not be write protected in the view afterwards.
    If you specify criteria in this permission, then this member will be written as protected.
    >>2. If I want to check permissions in code like that:
    SecuritySystem.IsGranted(new ClientPermissionRequest(typeof(Auditing), null, ObjectSpace.GetObjectHandle(theObject), "Write"))
    This method returns information for the whole object. You need to specify the member as a second parameter to return the correct result.

    BF BF
    Bernd F. 11 years ago

      Hello Alexey, thank you for your answer.
      I attached a sample project that shows the issue. Please log in with the user "TestUser". Then create an object of type BusinessObject1 and set IsProtected to true. Then save it.
      The business case behind this is that I want to have an object that is write protected based on one of its properties. But that property needs to be changed by the user in order to make that object write protected. And afterwards the user should no longer be able to change the object or the specific property.
      So step by step it would be:

      1. User creates the object and has write permission as long as IsProtected is false.
      2. User sets IsProtected to true and saves.
      3. User has no longer write permission for the object and any of its members, so he should not be able to set IsProtected to false again. It is a one way ticket in our business case.
      Sign in to comment on this post

      Answers approved by DevExpress Support

      created 11 years ago (modified 11 years ago)

      Hello,
      Currently, this scenario is not supported. We are planing to improve this behavior. Please track the Security - Provide an easy way to create additional objects or modify protected properties in code (preferably within the same transaction) thread to be informed about our progress. Refer to the SecurityStrategyComplex: How to modify objects/properties in code when the user does not have the permission? thread for a workaround.

        Comments (2)
        BF BF
        Bernd F. 11 years ago

          Thank you for your help and the link to workaround.

          DevExpress Support Team 11 years ago

            You're welcome.

            Sign in to comment on this post

            Disclaimer: The information provided on DevExpress.com and affiliated web properties (including the DevExpress Support Center) is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.

            Confidential Information: Developer Express Inc does not wish to receive, will not act to procure, nor will it solicit, confidential or proprietary materials and information from you through the DevExpress Support Center or its web properties. Any and all materials or information divulged during chats, email communications, online discussions, Support Center tickets, or made available to Developer Express Inc in any manner will be deemed NOT to be confidential by Developer Express Inc. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.