XAF0035: Avoid using SecuritySystem static members in XAF Blazor / Web API Service
- 3 minutes to read
Severity: Warning
In ASP.NET Core-based XAF applications (Blazor UI and Web API Service), the ValueManager context may be unavailable. Consequently, using SecuritySystem static members—such as Instance, CurrentUserId, and CurrentUserName—can lead to runtime failures such as InvalidOperationException (ValueManagerContext.Storage is null). This diagnostic enforces modern, supported patterns for accessing the current user in XAF Blazor and Web API applications.
Refer to the following resources for additional information:
- Core - ValueManager API availability and deprecated static helpers in XAF .NET 6+ apps (Blazor, Web API Service, WinForms)
- Access the Currently Logged User for Data Filtering, Business Logic, and Security Permissions
Note
SecuritySystem static members function correctly in XAF WinForms applications.
Examples
Invalid Code
SecuritySystem static helpers rely on DevExpress.Persistent.Base.ValueManager, which is not guaranteed to be initialized in ASP.NET Core pipelines. This can lead to runtime failures in Blazor and Web API Service applications.
// Data model and business logic code (unsupported in Blazor / Web API Service)
public Guid CreatedByUserId =>
(Guid)DevExpress.ExpressApp.SecuritySystem.CurrentUserId;
var userName = DevExpress.ExpressApp.SecuritySystem.CurrentUserName;
Valid Code (EF Core Examples)
Access security user properties from an XAF data model or ViewController:
ApplicationUser GetCurrentUser() {
return ObjectSpace.GetObjectByKey<ApplicationUser>(
ObjectSpace.ServiceProvider.GetRequiredService<ISecurityStrategyBase>().UserId);
}
Access security user properties from an ASP.NET Core / Web API Controller:
using Microsoft.AspNetCore.Mvc;
using DevExpress.ExpressApp.Security;
using DevExpress.Persistent.BaseImpl.EF.PermissionPolicy;
// ...
[Route("api/[controller]")]
[ApiController]
public class CustomEndpointController : ControllerBase {
[HttpGet]
public IEnumerable<string> Get(ISecurityProvider securityProvider) {
ISecurityUserWithRoles user = (ISecurityUserWithRoles)securityProvider.GetSecurity().User;
// Access user properties.
}
}
How to Fix
If your code relies on CurrentUserId or other static members, update the implementation according to the following recommendations:
- Remove or avoid using the SecuritySystem static helper. Instead, use lightweight, dependency injection (DI)-based services, such as ISecurityStrategyBase, ISecurityProvider, and other security-related XAF services.
In business class code, obtain the required DI services through the ObjectSpace.ServiceProvider (EF Core) or Session.ServiceProvider (XPO) properties, which are accessible through your base business class (
BaseObject). To work with data in XAF Controllers, use IObjectSpace or the XafApplication.ServiceProvider to obtain the required DI services.Refer to the following help topics for additional information:
- Outside of XAF Controllers and business classes (for instance, in an ASP.NET Core / Web API Controller), use ISecurityProvider and other services. Refer to the following help topic for additional information: Access Object Space, Security System, and Caption Helper in the ASP.NET Core Environment.
- Use built-in criteria functions, such as
CurrentUserIdorIsUserInRole, in criteria expressions where you do not need C# code.