Search This Blog

Friday, February 21, 2014

Validation, Conditional Appearance, Security or all modules at once?

I believe this recent discussion in the Support Center will be very interesting for the XAF community.
Let me quote myself from comments to this thread:

Let me comment on the security aspect of this solution. The ConditionalAppearance module (as stated in the docs) should not be used as a security means, even if it can hide or disable certain UI elements. Its primary purpose is to customize the appearance of the application, provide a better UX by guiding an end-user through the predefined application flow (e.g., he or she entered a certain value, then depending on it, new editors appear just for this case or certain editors get disabled not to allow a user to go a wrong way).

So, if you need data protection, you should also have additional security checks (preferably on the server side) and not rely just on the availability of UI controls. For this, I can recommend the following things:

1. Make sure your business logic in data model classes or controllers handles invalid user inputs or other unwanted situations, even if you have set up the Validation or ConditionalAppearance rules for the UI;
2. Use the Security System module to protect your data in the UI or on the server side;
3. Consider hiding your database from the client by using a remote data store service as described in How to connect to a remote data service instead of using a direct database connection;
4. Consider storing the Application Model differences in the database instead of the file system and thus disallowing powerful end-users to customize it manually. See the How to manage user settings (reset, merge, import, export, etc.) stored in the database instead of a file system example for more details.
5. Make sure your application does not allow loading external modules/plug-ins from the configuration file by using the right XafApplication.Setup method overload.

There, of course, may be more things to look at if the final application will be deployed in a banking environment, as in case of the original ticket owner. So feel free to share your feedback on this as well. I know that some of our XAF customers (like Robert Anderson) have production apps working in similar security sensitive environments, so it would be great to hear about your experience. Thanks!

Tuesday, February 18, 2014

AuditTrail module performance improvement in v13.1.10 and v13.2.7

I would like to draw your attention to an improvement we recently made in the AuditTrail module:

AuditTrail - Low performance when saving data under certain circumstances

Please install the version 13.1.10+ or 13.2.7+ and let us know whether it now works better in your app.

I am focusing on this due to a recent discussion in this support ticket. In short, if something is not performing well or fast enough, it is always worth researching the cause of this behavior, rather than disabling a feature completely, especially when it relates to built-in XAF modules.

There may be some tricky or uncovered scenarios, and specialized profiling tools (e.g., AQTime and SQL Server Profiler) may help to find the cause of such performance issues. If you are not so familiar with using profilers (imho, it is still important to master them for the future for any professional developer, though) to profile the project yourself, feel free to send it to us, so that we can research it and find the best solution. I understand that preparing an entire project or test sample may take some time, but the result is worth it. This may also help improve the product itself, and the experiences that other users may be facing, which is always appreciated by the community. Thanks!

Wednesday, February 12, 2014

My Top 10 favorite DevExpress CodeRush features for .NET development in Visual Studio

http://habrahabr.ru/company/devexpress/blog/211805/

This is my recent post on HabraHabr (a sort of TechCrunch in Russia) about my favorite CodeRush functions. If you do not understand Russian, try using Google Translate, Google Chrome or just watch the videos from this post.

Wednesday, February 5, 2014

Changing window title when data within a View is modified

Today I have updated one of my examples that shows how to customize a window title to add the asterisk mark when an object in the View is modified:


If you are interested in it, check out the implementation details below:

http://www.devexpress.com/example=E1703

Basically, this solution consists of a single platform-agnostic WindowCotroller that tracks data changes via the IObjectSpace.ModifiedChanged event and updates the window caption via the WindowTemplateController API. Here you may also want to learn more about other built-in controllers grouped by functionality at Built-in Controllers and Actions.