KB Article T530314
Visible to All Users

Security - How to handle end-user attempts to delete their own security User and Role records that may interrupt access to the application

Restrict non-Administrators by default

Normally, regular users do not have access to other security user and role data - they can only edit limited fields of their own user record and optionally see a readonly list of own roles. To implement this, define the corresponding security permissions for restricted roles. As a result, XAF will automatically disable the Delete Action in the UI.

Prevent user deletion by himself or herself

A user may go to the 'Users' or 'My Details' Views and try to execute the Delete Action for their own record. The basic protection is the default confirmation dialog for this operation:

Clipboard-File-3.png

Further, if your security user type is PermissionPolicyUser/SecuritySystemUser (XPO) or PermissionPolicyUser/User (EF6), XAF will prevent this invalid operation using the built-in validation rule like this:

C#
[RuleCriteria("PermissionPolicyUser_XPO_Prevent_delete_logged_in_user", DefaultContexts.Delete, "[Oid] != CurrentUserId()", "Cannot delete the current logged-in user. Please log in using another user account and retry.")]

Clipboard-File-2.png

If you have a custom user type, you can add a similar validation rule or prevent this operation in code yourself.

Handle user deletion by Administrators

If a user was deleted by other users (or directly in the database), XAF will show a warning message to the deleted user and log off the application automatically to prevent unauthorized usage.

Clipboard-File-4.png

This behavior is handled by the DevExpress.ExpressApp.Security.CheckCurrentUserIsDeletedController class that subscribes to the internal SecurityStrategy.CurrentUserDeleted event. While this API is internal and undocumented, you can deactivate this Controller using the standard approaches, if required.

Prevent deletion of the last active Administrator and the last administrative role with active users

To implement this functionality, create custom validation rules as shown in the following help topic: How to: Prevent Users from Deleting and Updating Administrative User and Role Objects.

Disclaimer: The information provided on DevExpress.com and affiliated web properties (including the DevExpress Support Center) is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.

Confidential Information: Developer Express Inc does not wish to receive, will not act to procure, nor will it solicit, confidential or proprietary materials and information from you through the DevExpress Support Center or its web properties. Any and all materials or information divulged during chats, email communications, online discussions, Support Center tickets, or made available to Developer Express Inc in any manner will be deemed NOT to be confidential by Developer Express Inc. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.