Restrict non-Administrators by default
Normally, regular users do not have access to other security user and role data - they can only edit limited fields of their own user record and optionally see a readonly list of own roles. To implement this, define the corresponding security permissions for restricted roles. As a result, XAF will automatically disable the Delete Action in the UI.
Prevent user deletion by himself or herself
A user may go to the 'Users' or 'My Details' Views and try to execute the Delete Action for their own record. The basic protection is the default confirmation dialog for this operation:
Further, if your security user type is PermissionPolicyUser/SecuritySystemUser (XPO) or PermissionPolicyUser/User (EF6), XAF will prevent this invalid operation using the built-in validation rule like this:
C#[RuleCriteria("PermissionPolicyUser_XPO_Prevent_delete_logged_in_user", DefaultContexts.Delete, "[Oid] != CurrentUserId()", "Cannot delete the current logged-in user. Please log in using another user account and retry.")]
If you have a custom user type, you can add a similar validation rule or prevent this operation in code yourself.
Handle user deletion by Administrators
If a user was deleted by other users (or directly in the database), XAF will show a warning message to the deleted user and log off the application automatically to prevent unauthorized usage.
This behavior is handled by the DevExpress.ExpressApp.Security.CheckCurrentUserIsDeletedController class that subscribes to the internal SecurityStrategy.CurrentUserDeleted event. While this API is internal and undocumented, you can deactivate this Controller using the standard approaches, if required.
Prevent deletion of the last active Administrator and the last administrative role with active users
To implement this functionality, create custom validation rules as shown in the following help topic: How to: Prevent Users from Deleting and Updating Administrative User and Role Objects.