Skip to main content
BuyLog In
XAF: Cross-Platform .NET App UI & Web API
Search in…
Docs > Application Security and Data Safety > Security (Access Control & Authentication) > Authorization and Data Protection > Filter out Secured Data Based on the Object Owner > Get the Current User in Code
All docs
V23.2
.NET 6.0+
XAF: Cross-Platform .NET App UI & Web API
Getting Started
Installation, Upgrade, Version History
Backend Web API Service
UI Shell and Base Infrastructure
Storage, ORM, and Business Model Design
Data Manipulation and Business Logic
User Interface and Behavior Customization
Data Filtering
Application Security and Data Safety
Security (Access Control & Authentication)
Security Tiers
User Logon and Authentication
ORM Object Model, Policy Configuration and Storage
Authorization and Data Protection
Check Access Permissions
Filter out Secured Data Based on the Object Owner
Get the Current User in Code
Prevent Users from Deleting and Updating Administrative User and Role Objects
Non-XAF UI Scenarios
Security Considerations
Audit Trail (History of Data Changes)
Multi-Tenancy (Data per Tenant)
Validation (Prevent Data Errors)
Conditional Appearance (Manage State of UI Elements)
Reporting (Shape, Export & Print Data)
Analytics (Extract Data Insights)
Document Management
Business Process Management
Event Planning
Localization
Accessibility Support
Debugging, Testing and Error Handling
Deployment
Support, QA & Troubleshooting
API Reference
Download CHM

Get the Current User in Code

  • 4 minutes to read

An application’s functionality may depend on the user who is currently logged on. So, you may need to get the user name, user ID, or the entire user object. This topic describes how to access the current user information in popular use case scenarios.

In .NET 6+ Applications

The following help topics describe how to use Dependency Injection to access an object that stores the current user information:

In .NET Framework Applications

In .NET Framework Applications, you can use the following static properties exposed by the SecuritySystem class to access the current user information:

Note

ASP.NET 6+ classes (MVC controllers, Razor components) and Web API controllers cannot use these static properties.

Access Current User in Criteria

When you are required to use the current user in a filter criteria, use the CurrentUserId function criteria operator.

Initialize the Object Owner

EF Core

To assign a current user reference to the Owner property of your business class, implement the IXafEntityObject and IObjectSpaceLink interfaces in this class and implement the IXafEntityObject.OnCreated method in the following manner:

using DevExpress.ExpressApp.Security;
// ...
public class TestClass : IXafEntityObject, IObjectSpaceLink {
    public virtual ApplicationUser? Owner { get; set; }
    void IXafEntityObject.OnCreated() {
        Owner = ObjectSpace.GetObjectByKey<ApplicationUser>(
            ObjectSpace.ServiceProvider.GetRequiredService<ISecurityStrategyBase>().UserId);
    }
    // ...
}

Alternatively, you can inherit your business class from the DevExpress.Persistent.BaseImpl.EF.BaseObject and override its OnCreated method:

using DevExpress.ExpressApp.Security;
// ...
public class TestClass : BaseObject {
    public virtual ApplicationUser? Owner { get; set; }
    public override void OnCreated() {
        Owner = ObjectSpace.GetObjectByKey<ApplicationUser>(
            ObjectSpace.ServiceProvider.GetRequiredService<ISecurityStrategyBase>().UserId);
    }
    // ...
}

Note

The complete example is available in the IXafEntityObject interface description.

XPO

When using XPO, you can also override the BaseObject.AfterConstruction method as follows:

public class TestClass : BaseObject {
    ApplicationUser? owner;
    public ApplicationUser? Owner {
        get => owner;
        set => SetPropertyValue(nameof(Owner), ref owner, value);
    }
    public override void AfterConstruction() {
        base.AfterConstruction();
        Owner = Session.GetObjectByKey<ApplicationUser>(
            Session.ServiceProvider.GetRequiredService<ISecurityStrategyBase>().UserId);
    }
    // ...
}

Check Security Permissions in Code

The following help topic describes how to check if a user has a specific role or has permission to perform a specific operation: Determine if the Current User Has Specific Permissions.

Configure Permissions Based on the Object Owner

To grant access to objects that are owned by the current user and prohibit access to other objects, implement the Owner property as demonstrated above, and configure the security permissions as follows:

  • Add a Type Permission for the object type you wish to filter and set its ReadState property to Deny or leave it empty if the role’s Permission Policy is DenyAllByDefault.
  • Add an Object Permission to this Type Permission, and set its ReadState property to Allow and the Criteria property to Owner.Oid = CurrentUserId().
userRole.AddObjectPermission<Note>(SecurityOperations.Read, "Owner.Oid = CurrentUserId()", SecurityPermissionState.Allow);
// or
userRole.AddObjectPermissionFromLambda<Note>(SecurityOperations.Read, n => n.Owner.Oid == (Guid)CurrentUserIdOperator.CurrentUserId(), SecurityPermissionState.Allow);
See Also