IWebDocumentViewerAuthorizationService Interface

Implements custom authorization to restrict access to reports and generated documents in a web reporting application.

Namespace: DevExpress.XtraReports.Web.WebDocumentViewer

Assembly: DevExpress.XtraReports.v21.1.Web.dll

Declaration

public interface IWebDocumentViewerAuthorizationService

Remarks

General Information

The Document Viewer queries the IWebDocumentViewerAuthorizationService service when the control performs the following actions:

  • Operations that read a report from the internal storage
  • Operations that create a document or render a document page
  • Export and print operations
  • Search operations
  • Operations that request data from a document, such as processing the contents of the editable fields or building a document map.

For access control purposes, all operations can be classified by the object that the document viewer processes in a particular operation. The objects are:

  • Reports
  • Documents
  • Document export results.
TIP

Review the following topic for more information on the Document Viewer operations: Document Viewer Lifecycle

Implementation

You should add a custom logic to the IWebDocumentViewerAuthorizationService methods to determine whether the current user is allowed to perform the operation. The methods are grouped by objects that require authorized access.

CanCreateReport
Verifies whether the user can create a report in the viewer’s internal storage. If this method returns false, the Document Viewer fails on initialization. Implement this method to restrict users from previewing a report in the Report Designer.
CanReadReport
Verifies whether the user can perform an operation with the report. The method is called when the Document Viewer requests report parameters, their lookup values, initiates document creation or a drill-through operation. You can determine that the initiator of the operation is the same user who opened the report.
CanReleaseReport
Prevents unauthorized disposal of the report when performed by a person who is not a report creator, or when the report is shared by several users, and the current user is not allowed to dispose of the report.
CanCreateDocument
Verifies whether the user can create a document in the viewer’s internal storage. You can use this method to restrict the number of report creation operations the user initiates.
CanReadDocument
Allows you to prevent unauthorized operations with a document. Refer to the API method help topic for the list of operations.
CanReleaseDocument
Prevents unauthorized disposal of the document from the viewer’s cache and internal storage.

When you implement these methods, you need information about the current user, about the report that the user opens, what parameters are applied, what are the ids assigned to the report, the document and to the document generated in an asynchronous export operation. Implement the WebDocumentViewerOperationLogger interface to gather all the required information.

Examples

ASP.NET MVC Example

View Example: Implement User Authorization

The following code is a custom interface implementation that allows authorized users to view the report in the Document Viewer. A custom WebDocumentViewerOperationLogger service populates dictionaries with the user id, report id, document id and asynchronous operation id. The IWebDocumentViewerAuthorizationService controls access to reports and documents, the IExportingAuthorizationService controls access to the asynchronously exported document.

using DevExpress.XtraReports.UI;
using DevExpress.XtraReports.Web.WebDocumentViewer;
using System.Collections.Concurrent;
using System.Web;
using System;
using DevExpress.XtraPrinting;
using DevExpress.XtraReports.Web.ClientControls;

namespace AuthorizationService.Services {
    public class OperationLogger: WebDocumentViewerOperationLogger, 
        IWebDocumentViewerAuthorizationService, 
        IExportingAuthorizationService
    {
        #region WebDocumentViewerOperationLogger
        public override void ReportOpening(string reportId, string documentId, XtraReport report) 
        {
            if (HttpContext.Current.Session == null) {
                return;
            }
            SaveUsedEntityId(Constants.ReportDictionaryName, reportId);
            SaveUsedEntityId(Constants.DocumentDictionaryName, documentId);
        }

        public override void BuildStarted(string reportId, string documentId, 
            ReportBuildProperties buildProperties) 
        {
            SaveUsedEntityId(Constants.ReportDictionaryName, reportId);
            SaveUsedEntityId(Constants.DocumentDictionaryName, documentId);
        }

        public override ExportedDocument ExportDocumentStarting(string documentId, 
            string asyncExportOperationId, string format, ExportOptions options, 
            PrintingSystemBase printingSystem, Func<ExportedDocument> doExportSynchronously) 
        {
            SaveUsedEntityId(Constants.ExportedDocumentDictionaryName, asyncExportOperationId);
            return base.ExportDocumentStarting(documentId, asyncExportOperationId, format, options, 
                printingSystem, doExportSynchronously);
        }

        public override void ReleaseDocument(string documentId) {

        }
        #endregion WebDocumentViewerOperationLogger

        #region IWebDocumentViewerAuthorizationService
        bool IWebDocumentViewerAuthorizationService.CanCreateDocument() {
            return CheckUserAuthorized();
        }

        bool IWebDocumentViewerAuthorizationService.CanCreateReport() {
            return CheckUserAuthorized();
        }

        bool IWebDocumentViewerAuthorizationService.CanReadDocument(string documentId) {
            return CheckEntityAvailability(Constants.DocumentDictionaryName, documentId);
        }

        bool IWebDocumentViewerAuthorizationService.CanReadReport(string reportId) {
            return CheckEntityAvailability(Constants.ReportDictionaryName, reportId);
        }

        bool IWebDocumentViewerAuthorizationService.CanReleaseDocument(string documentId) {
            return CheckEntityAvailability(Constants.DocumentDictionaryName, documentId);
        }

        bool IWebDocumentViewerAuthorizationService.CanReleaseReport(string reportId) {
            return CheckEntityAvailability(Constants.ReportDictionaryName, reportId);
        }

        public bool CanReadExportedDocument(string exportDocumentId) {
            return CheckEntityAvailability(Constants.ExportedDocumentDictionaryName, exportDocumentId);
        }
        #endregion IWebDocumentViewerAuthorizationService, IExportingAuthorizationService

        bool CheckUserAuthorized() {
            var user = HttpContext.Current.User;
            if (user == null || user.Identity == null || !user.Identity.IsAuthenticated)
            {
                return false;
            }
            return true;
        }

        void SaveUsedEntityId(string dictionaryName, string id) {
            if (string.IsNullOrEmpty(id))
                return;

            ConcurrentDictionary<string, bool> dictionary = null;
            lock (HttpContext.Current.Session.SyncRoot) {
                if (HttpContext.Current.Session[dictionaryName] == null)
                     HttpContext.Current.Session[dictionaryName] = dictionary 
                        = new ConcurrentDictionary<string, bool>();
            }
            if (dictionary == null)
                dictionary = ((ConcurrentDictionary<string, bool>)HttpContext.Current.
                    Session[dictionaryName]);
            dictionary.AddOrUpdate(id, false, (_1, _2) => false);
        }

        bool CheckEntityAvailability(string dictionaryName, string id) {
            if (string.IsNullOrEmpty(id) || !CheckUserAuthorized())
                return false;

            lock (HttpContext.Current.Session.SyncRoot) {
                if (HttpContext.Current.Session[dictionaryName] == null)
                    return false;
            }
            return 
            ((ConcurrentDictionary<string, bool>)HttpContext.Current.
                Session[dictionaryName]).ContainsKey(id);
        }

        void DisposeEntityRequested(string dictionaryName, string id) {
            if (string.IsNullOrEmpty(id))
                return;
            lock (HttpContext.Current.Session.SyncRoot) {
                if (HttpContext.Current.Session[dictionaryName] == null)
                    return;
            }
            ((ConcurrentDictionary<string, bool>)HttpContext.Current.
                Session[dictionaryName]).AddOrUpdate(id, true, (_1, _2) => true);
        }
    }
}

Register the service on application startup:

protected void Application_Start() {
...
    DefaultWebDocumentViewerContainer.Register<IExportingAuthorizationService, Services.OperationLogger>();
    DefaultWebDocumentViewerContainer.Register<WebDocumentViewerOperationLogger, Services.OperationLogger>();
    DefaultWebDocumentViewerContainer.Register<IWebDocumentViewerAuthorizationService, Services.OperationLogger>();
    ...
}

ASP.NET Core Example

View Example: Implement User Authorization

The following code is a custom interface implementation that allows authorized users to view the report in the Document Viewer. A custom WebDocumentViewerOperationLogger service populates dictionaries with the user id, report id, document id and asynchronous operation id. The IWebDocumentViewerAuthorizationService controls access to reports and documents, the IExportingAuthorizationService controls access to the asynchronously exported document.

using System;
using System.Collections.Concurrent;
using DevExpress.XtraPrinting;
using DevExpress.XtraReports.UI;
using DevExpress.XtraReports.Web.ClientControls;
using DevExpress.XtraReports.Web.WebDocumentViewer;

namespace AspNetCore.Reporting.Common.Services.Reporting {
    class DocumentViewerAuthorizationService : 
        WebDocumentViewerOperationLogger, 
        IWebDocumentViewerAuthorizationService, 
        IExportingAuthorizationService 
    {
        static ConcurrentDictionary<string, string> DocumentIdOwnerMap { get; } = 
            new ConcurrentDictionary<string, string>();
        static ConcurrentDictionary<string, string> ExportedDocumentIdOwnerMap { get; } = 
            new ConcurrentDictionary<string, string>();
        static ConcurrentDictionary<string, string> ReportIdOwnerMap { get; } = 
            new ConcurrentDictionary<string, string>();

        IAuthenticatiedUserService UserService { get; }

        public DocumentViewerAuthorizationService(IAuthenticatiedUserService userService) 
        {
            UserService = userService ?? throw new ArgumentNullException(nameof(userService));
        }

        public override void ReportOpening(string reportId, string documentId, XtraReport report) 
        {
            MapIdentifiersToUser(UserService.GetCurrentUserId(), documentId, reportId, null);
            base.ReportOpening(reportId, documentId, report);
        }

        public override void BuildStarted(string reportId, string documentId, 
            ReportBuildProperties buildProperties) 
        {
            MapIdentifiersToUser(UserService.GetCurrentUserId(), documentId, reportId, null);
            base.BuildStarted(reportId, documentId, buildProperties);
        }

        public override ExportedDocument ExportDocumentStarting(string documentId, 
            string asyncExportOperationId, string format, ExportOptions options, 
            PrintingSystemBase printingSystem, Func<ExportedDocument> doExportSynchronously) 
        {
            MapIdentifiersToUser(UserService.GetCurrentUserId(), null, null, asyncExportOperationId);
            return base.ExportDocumentStarting(documentId, 
                asyncExportOperationId, format, options, printingSystem, doExportSynchronously);
        }

        void MapIdentifiersToUser(string userId, string documentId, 
            string reportId, string exportedDocumentId) 
        {
            if(!string.IsNullOrEmpty(exportedDocumentId))
                ExportedDocumentIdOwnerMap.TryAdd(exportedDocumentId, userId);

            if(!string.IsNullOrEmpty(documentId)) 
                DocumentIdOwnerMap.TryAdd(documentId, userId);

            if(!string.IsNullOrEmpty(reportId)) 
                ReportIdOwnerMap.TryAdd(reportId, userId);

        }

        #region IWebDocumentViewerAuthorizationService
        public bool CanCreateDocument() 
        {
            return true;
        }

        public bool CanCreateReport() 
        {
            return true;
        }

        public bool CanReadDocument(string documentId) 
        {
            return DocumentIdOwnerMap.TryGetValue(documentId, out var ownerId) 
                && ownerId == UserService.GetCurrentUserId();
        }

        public bool CanReadReport(string reportId) 
        {
            return ReportIdOwnerMap.TryGetValue(reportId, out var ownerId) 
                && ownerId == UserService.GetCurrentUserId();
        }

        public bool CanReleaseDocument(string documentId) 
        {
            return true;
        }

        public bool CanReleaseReport(string reportId) 
        {
            return true;
        }

        public bool CanReadExportedDocument(string exportedDocumentId) 
        {
            return ExportedDocumentIdOwnerMap.TryGetValue(exportedDocumentId, out var ownerId) 
                && ownerId == UserService.GetCurrentUserId();
        }
        #endregion
    }
}

Register the service on application start. The following code registers three services which implement access check in our example:

public class Startup {
    // ...
    public void ConfigureServices(IServiceCollection services) {
        // ...
        services.AddScoped<IWebDocumentViewerAuthorizationService, DocumentViewerAuthorizationService>();
        services.AddScoped<WebDocumentViewerOperationLogger, DocumentViewerAuthorizationService>();
        services.AddScoped<IExportingAuthorizationService, DocumentViewerAuthorizationService>();
        // ...
    }
    // ...
}
See Also