Authorization Logic — Query Builder | ASP.NET Web Forms Controls

Mar 06, 2025
3 minutes to read

The DevExpress ASP.NET WebForms Query Builder allows users to browse available data connections and tables. The Query Builder is integrated into both the DevExpress Report Designer and Dashboard Designer and can be used as a standalone control. To address CWE-285-related security risks, restrict access to data displayed within the Query Builder as follows:

Implement a custom connection string provider to restrict access to connection strings:

public class DataSourceWizardConnectionStringsProvider : IDataSourceWizardConnectionStringsProvider {

    public Dictionary<string, string> GetConnectionDescriptions() {
        Dictionary<string, string> connections =
            new Dictionary<string, string> { { "nwindConnection", "NWind database" } };

        // Implement access restriction logic, for instance
        // if(GetIdentityName() == "Admin")
        //     connections.Add("secretConnection", "Admin only database");

        return connections;
    }

    public DataConnectionParametersBase GetDataConnectionParameters(string name) {
        return AppConfigHelper.LoadConnectionParameters(name);
    }
}

Public Class DataSourceWizardConnectionStringsProvider
    Inherits IDataSourceWizardConnectionStringsProvider

    Public Function GetConnectionDescriptions() As Dictionary(Of String, String)
        Dim connections As Dictionary(Of String, String) = New Dictionary(Of String, String) From {
            {"nwindConnection", "NWind database"}
        }

        ' Implement access restriction logic, for instance
        ' if(GetIdentityName() == "Admin")
        '     connections.Add("secretConnection", "Admin only database");

        Return connections
    End Function

    Public Function GetDataConnectionParameters(ByVal name As String) As DataConnectionParametersBase
        Return AppConfigHelper.LoadConnectionParameters(name)
    End Function
End Class

Implement a custom database schema provider to restrict access to data tables, views, and stored procedures:

// Uncomment the following class for the Query Builder integrated into Dashboard Designer

// public class DataSourceWizardDBSchemaProviderExFactory : DevExpress.DataAccess.Web.IDataSourceWizardDBSchemaProviderExFactory {
//    public IDBSchemaProviderEx Create() {
//        return new DBSchemaProviderEx();
//    }
//}

public class DBSchemaProviderEx : IDBSchemaProviderEx {
    public DBTable[] GetTables(SqlDataConnection connection, params string[] tableList) {        
        // Check permissions here
        var dbTables = connection.GetDBSchema().Tables;
        return dbTables.Where(t => t.Name == "Categories" || t.Name == "Products").ToArray();
    }

    public DBTable[] GetViews(SqlDataConnection connection, params string[] viewList) {
        return Array.Empty<DBTable>();
    }

    public DBStoredProcedure[] GetProcedures(SqlDataConnection connection, params string[] procedureList) {
        return Array.Empty<DBStoredProcedure>();
    }

    public void LoadColumns(SqlDataConnection connection, params DBTable[] tables) {
    }
}

' Uncomment the following class for the Query Builder integrated into Dashboard Designer

'public class DataSourceWizardDBSchemaProviderExFactory : DevExpress.DataAccess.Web.IDataSourceWizardDBSchemaProviderExFactory {
'    public IDBSchemaProviderEx Create() {
'        return new DBSchemaProviderEx();
'    }
'}

Public Class DBSchemaProviderEx
    Inherits IDBSchemaProviderEx

    Public Function GetTables(ByVal connection As SqlDataConnection, ParamArray tableList As String()) As DBTable()
        ' Check permissions here
        Dim dbTables = connection.GetDBSchema().Tables
        Return dbTables.Where(Function(t) t.Name = "Categories" OrElse t.Name = "Products").ToArray()
    End Function

    Public Function GetViews(ByVal connection As SqlDataConnection, ParamArray viewList As String()) As DBTable()
        Return Array.Empty(Of DBTable)()
    End Function

    Public Function GetProcedures(ByVal connection As SqlDataConnection, ParamArray procedureList As String()) As DBStoredProcedure()
        Return Array.Empty(Of DBStoredProcedure)()
    End Function

    Public Sub LoadColumns(ByVal connection As SqlDataConnection, ParamArray tables As DBTable())
    End Sub
End Class

Register your custom providers for the DevExpress Dashboard Designer, Report Designer, or standalone Query Builder in the Global.asax.cs or Global.asax.vb file:

Dashboard Designer

DashboardConfigurator.Default.SetConnectionStringsProvider(new DataSourceWizardConnectionStringsProvider());
DashboardConfigurator.Default.SetDBSchemaProvider(new DBSchemaProviderEx());

DashboardConfigurator.[Default].SetConnectionStringsProvider(New DataSourceWizardConnectionStringsProvider())
DashboardConfigurator.[Default].SetDBSchemaProvider(New DBSchemaProviderEx())

Report Designer

DefaultReportDesignerContainer.RegisterDataSourceWizardConnectionStringsProvider<DataSourceWizardConnectionStringsProvider>();
DefaultReportDesignerContainer.RegisterDataSourceWizardDBSchemaProviderExFactory<DataSourceWizardDBSchemaProviderExFactory>();

DefaultReportDesignerContainer.RegisterDataSourceWizardConnectionStringsProvider(Of DataSourceWizardConnectionStringsProvider)()
DefaultReportDesignerContainer.RegisterDataSourceWizardDBSchemaProviderExFactory(Of DataSourceWizardDBSchemaProviderExFactory)()

Standalone Query Builder

DefaultQueryBuilderContainer.Register<IDataSourceWizardConnectionStringsProvider, DataSourceWizardConnectionStringsProvider>();
DefaultQueryBuilderContainer.RegisterDataSourceWizardDBSchemaProviderExFactory<DataSourceWizardDBSchemaProviderExFactory>();

DefaultQueryBuilderContainer.Register(Of IDataSourceWizardConnectionStringsProvider, DataSourceWizardConnectionStringsProvider)()
DefaultQueryBuilderContainer.RegisterDataSourceWizardDBSchemaProviderExFactory(Of DataSourceWizardDBSchemaProviderExFactory)()

Controls

FREE UTILITIES

Controls and Extensions

FREE UTILITIES

Controls

FREE UTILITIES

Controls and Extensions

FREE UTILITIES

Authorization Logic — Query Builder