Skip to main content
All docs
V26.1
  • XAF0035: Avoid using SecuritySystem static members in XAF Blazor / Web API Service

    • 3 minutes to read

    Severity: Warning

    In ASP.NET Core-based XAF applications (Blazor UI and Web API Service), the ValueManager context may be unavailable. Consequently, using SecuritySystem static members—such as Instance, CurrentUserId, and CurrentUserName—can lead to runtime failures such as InvalidOperationException (ValueManagerContext.Storage is null). This diagnostic enforces modern, supported patterns for accessing the current user in XAF Blazor and Web API applications.

    Refer to the following resources for additional information:

    Note

    SecuritySystem static members function correctly in XAF WinForms applications.

    Examples

    Invalid Code

    SecuritySystem static helpers rely on DevExpress.Persistent.Base.ValueManager, which is not guaranteed to be initialized in ASP.NET Core pipelines. This can lead to runtime failures in Blazor and Web API Service applications.

    // Data model and business logic code (unsupported in Blazor / Web API Service)
    public Guid CreatedByUserId =>
        (Guid)DevExpress.ExpressApp.SecuritySystem.CurrentUserId;
    var userName = DevExpress.ExpressApp.SecuritySystem.CurrentUserName;
    

    Valid Code (EF Core Examples)

    Access security user properties from an XAF data model or ViewController:

        ApplicationUser GetCurrentUser() {
            return ObjectSpace.GetObjectByKey<ApplicationUser>(
                ObjectSpace.ServiceProvider.GetRequiredService<ISecurityStrategyBase>().UserId);
        }
    

    Access security user properties from an ASP.NET Core / Web API Controller:

    using Microsoft.AspNetCore.Mvc;
    using DevExpress.ExpressApp.Security;
    using DevExpress.Persistent.BaseImpl.EF.PermissionPolicy;
    // ...
    [Route("api/[controller]")]
    [ApiController]
    public class CustomEndpointController : ControllerBase {
        [HttpGet]
        public IEnumerable<string> Get(ISecurityProvider securityProvider) {
            ISecurityUserWithRoles user = (ISecurityUserWithRoles)securityProvider.GetSecurity().User;
            // Access user properties.
        }
    }
    

    How to Fix

    If your code relies on CurrentUserId or other static members, update the implementation according to the following recommendations: