Skip to main content

Get the Current User in Code

  • 3 minutes to read

An application’s functionality may depend on the user who is currently logged on. So, you may be required to get the user name, user ID, or the entire user object. For this purpose, the static SecuritySystem class exposes the following properties:

ASP.NET Core classes (MVC controllers, Razor components) and Web API controllers cannot use these static properties. The following help topics describe how to use dependency injections to access an object that stores the current user:

The current user is also available in criteria expressions. In this topic, several popular scenarios of accessing the current user are listed.

Access Current User in Criteria

When you are required to use the current user in a filter criteria, use the CurrentUserId function criteria operator.

Initialize the Object Owner

EF Core

To assign a current user reference to the Owner property of your business class, support the IXafEntityObject and IObjectSpaceLink interfaces in this class and implement the IXafEntityObject.OnCreated method in the following manner:

void IXafEntityObject.OnCreated() {
    Owner = objectSpace.FindObject<ApplicationUser>(CriteriaOperator.Parse("ID=CurrentUserId()"));

Alternatively, you can inherit your business class from the DevExpress.Persistent.BaseImpl.EF.BaseObject and override its OnCreated method:

public class TestClass : BaseObject {
    public override void OnCreated() {
        Owner = ObjectSpace.FindObject<ApplicationUser>(CriteriaOperator.Parse("ID=CurrentUserId()"));


The complete example is available in the IXafEntityObject interface description.


When using XPO, you can also override the BaseObject.AfterConstruction method as follows:

public override void AfterConstruction() {
    Owner = Session.FindObject<ApplicationUser>(CriteriaOperator.Parse("Oid=CurrentUserId()"));

Check Security Permissions in Code

The following help topic describes how to check if a user has a specific role or has permission to perform a specific operation: Determine if the Current User Has Specific Permissions.

Configure Permissions Based on the Object Owner

To grant access to objects that are owned by the current user and prohibit access to other objects, implement the Owner property as demonstrated above, and configure the security permissions as follows:

  • Add a Type Permission for the object type you wish to filter and set its ReadState property to Deny or leave it empty if the role’s Permission Policy is DenyAllByDefault.
  • Add an Object Permission to this Type Permission, and set its ReadState property to Allow and the Criteria property to Owner.Oid = CurrentUserId().
userRole.AddObjectPermission<Note>(SecurityOperations.Read, "Owner.Oid = CurrentUserId()", SecurityPermissionState.Allow);
userRole.AddObjectPermissionFromLambda<Note>(SecurityOperations.Read, n => n.Owner.Oid == (Guid)CurrentUserIdOperator.CurrentUserId(), SecurityPermissionState.Allow);
See Also