通过 WCF 的 DevExpress eXpress 持久对象 (XPO)

发布于 2024-09-10 18:37:31 字数 1616 浏览 3 评论 0原文

各位 DevExpress 开发者大家好！ =)

我正在尝试远程驯服快速持久对象。

实际上，XPO 允许两种不同的方法 - 直接访问数据库和通过 WebService/WCF。

出于安全原因，我们选择了第二个选项。现在，WCF 包装了数据库访问，客户端必须对自己进行身份验证才能访问数据库。

该软件是一个文档管理系统。因此，它的主要数据库表（继承自XpObject的类）是“Documents”和“Users”。我们还有附加表（XPO 类）“DocumentUserAccess”，它通过关联将用户和文档绑定在一起。客户端通过 XPCollections 检索数据。

即使客户端现在必须进行身份验证，我们也必须限制他们对某些文档的访问（而管理员应该有权访问所有文档）。

Web 服务部分包含以下代码，用于使远程 XPO 访问成为可能：

   Private Function Common_IDataStoreContract_ModifyData(ByVal ParamArray dmlStatements As ModificationStatement()) As ModificationResult Implements IDataStoreContract.ModifyData

        Return wrappedDataStore.ModifyData(dmlStatements)


    End Function


    Private Function Common_IDataStoreContract_SelectData(ByVal ParamArray selects As SelectStatement()) As SelectedData Implements IDataStoreContract.SelectData


        Dim data As SelectedData = wrappedDataStore.SelectData(selects)
        Return data


    End Function

并且限制对某些表的访问非常容易：

 For Each statement In dmlStatements

        If Not UserCanAccessTable(OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.Name, statement.TableName) Then
            Throw New Security.SecurityAccessDeniedException("You aren't allowed to modify this table.")
        End If

    Next

但是，我们不知道如何限制对某些行的访问。

如上所示，客户端请求的所有条件和其他参数都可以在语句（DevExpress.XPO.DB.ModificationStatement 类）中访问。

同时，如何检查用户是否请求特定的文档？客户端可以使用不同的标准来获取文档，而不仅仅是 OID 和名称。例如，客户可以请求根据日期范围收集文档。

因此，在数据库请求执行之前，我们无法找出客户端将接收或修改哪些行，也无法检查他是否可以访问这些行。

任何帮助将不胜感激。

谢谢你，约翰

原文

Hello all DevExpress devs! =)

I'm trying to tame Express Persistent Objects remotely.

Actually, XPO allows two different approaches - accessing the database directly, and through WebService/WCF.

For security reasons, we've chosen second option. Now, WCF wraps database access, and clients must authenticate themselves in order to access the database.

The software is a Document Management System. Therefore, its main database tables (classes inherited from XpObject) are "Documents" and "Users". We also have additional table (XPO class), "DocumentUserAccess", which binds Users and Documents together though associations. Clients retrieve data though XPCollections.

Even though clients must authenticate now, we must restrict their access to some Documents (while administrators should have access to all Documents).

The webservice part contains the following code for making remote XPO access possible:

   Private Function Common_IDataStoreContract_ModifyData(ByVal ParamArray dmlStatements As ModificationStatement()) As ModificationResult Implements IDataStoreContract.ModifyData

        Return wrappedDataStore.ModifyData(dmlStatements)


    End Function


    Private Function Common_IDataStoreContract_SelectData(ByVal ParamArray selects As SelectStatement()) As SelectedData Implements IDataStoreContract.SelectData


        Dim data As SelectedData = wrappedDataStore.SelectData(selects)
        Return data


    End Function

And it's quite easy to restrict access to some TABLES:

 For Each statement In dmlStatements

        If Not UserCanAccessTable(OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.Name, statement.TableName) Then
            Throw New Security.SecurityAccessDeniedException("You aren't allowed to modify this table.")
        End If

    Next

BUT, we can't figure out how to limit access to some ROWS.

As seen above, all criterias, and other parameters of client request are accessible in statements (DevExpress.XPO.DB.ModificationStatement class).

At the same time, how to check whether user requests a specific document? Clients can use different criterias for fetching Documents, not only OID's and Names. For example, client can request collection of documents based on date range.

So, until the database request has executed, we can't find out which rows client will receive or modify, and we can't check whether those rows are accessible to him.

Any help would be MUCH appreciated.

Thank you,
John

分享到QQ

分享到微博