Using LightSwitch ServerApplicationContext and WebAPI to Get User Permissions

Using LightSwitch ServerApplicationContext and WebAPI to Get User Permissions

Rate This
  • Comments 20

Last post I showed a simple way of checking a single user permission from an HTML client screen in order to disable/enable UI elements. If you only have a couple permissions to check and you don’t want to write a lot of code then this simple tip works. However, if you need to check many permissions throughout your HTML client app or you need to return permissions to custom web clients you build against the LightSwitch server, a better idea is to retrieve all these permissions at once for the logged in user and store them on the client so all screens can access them without hitting the database again.

The LightSwitch philosophy is to provide RAD tools for building business apps fast, but still allow advanced customization where and when you need it. In this post I’ll show you a way to return user permissions by creating a custom web method using Web API and the LightSwitch ServerApplicationContext that was introduced in Visual Studio 2012 Update 2. If you missed Matt’s post about it, check it out here: Using the LightSwitch ServerApplicationContext API

You can download the sample code from this post here.

Create Permissions and Secure your Data

The first step in securing your data based on user permissions is to define your permissions and check them from the entity access control methods. For this example, we will define a couple permissions “CanAddCustomer” and “CanEditCustomer” that determines whether a user can perform Inserts and Edits on a Customer entity on the server.

Open the Project Properties and define your permissions. Make sure to enable authentication. Then check off the permissions you want to enable while you’re debugging.

image_thumb[1]

Then in the data designer, select the Server perspective and then drop down the “Write Code” button and select the Customers_CanInsert and Customers_CanUpdate access control methods:

image

Then you write code like this to allow or disallow the insertion and editing of customers:

VB:

Private Sub Customers_CanInsert(ByRef result As Boolean)
    result = Me.Application.User.HasPermission(Permissions.CanAddCustomer)
End Sub

Private Sub Customers_CanUpdate(ByRef result As Boolean)
    result = Me.Application.User.HasPermission(Permissions.CanEditCustomer)
End Sub

C#:

partial void Customers_CanInsert(ref bool result)
{
    result = this.Application.User.HasPermission(Permissions.CanAddCustomer);
}

partial void Customers_CanUpdate(ref bool result)
{
    result = this.Application.User.HasPermission(Permissions.CanEditCustomer);
}

 

You always want to secure the server-side this way in order to protect the data in your system. However, sometimes we also want to use a permission check in the UI in order to hide/unhide (or enable/disable) elements on a multitude of screens.

As I mentioned in my previous post, the Silverlight desktop client exposes a User object available to you at all times from any screen, so checking permissions on the client is easy. Here’s how you can create a similar object for the HTML client that holds all the permissions for a logged in user.

Create a Custom Web API on the LightSwitch Server

First we’re going to use Web API to expose a RESTful service that will return JSON to the client. Flip to the file view in the Solution Explorer.

image_thumb[4]

Add a folder called “Perms” (or whatever you want to call it) to the Server project , add an new item, and select Web API Controller Class and name it “UserPermissionsController”.

image_thumb[3]

Now we can use the LightSwitch ServerApplicationContext to verify the user is authenticated and to create a dictionary of their own permissions. If the user is not authenticated then nothing is returned. Note that you will need to add references to the LightSwitch Server and Security namespaces first.

In order to query the LightSwitch SecurityData where the permission data resides we need to temporarily elevate the caller’s permissions. This elevation is only in effect during the extent of the execution of the method. For more information about permission elevation see: How to Elevate Permissions in Server Code

Be careful what you put in this dictionary. Here we are simply populating a list of permissions, we’re not putting any sensitive information in there like the user’s name or passwords. Remember with power comes responsibility.

VB:

Imports System.Net
Imports System.Web.Http
Imports LightSwitchApplication
Imports Microsoft.LightSwitch.Server
Imports Microsoft.LightSwitch.Security

Public Class UserPermissionsController
    Inherits ApiController

    ' GET api/<controller>
    Public Function GetValues() As Dictionary(Of String, Boolean)
        'This will generically retrieve all the permissions of the current logged in user. 

        Dim perms As New Dictionary(Of String, Boolean)

        Using ctx As ServerApplicationContext = ServerApplicationContext.CreateContext()
            Dim currentUser = ctx.Application.User

            'If the requestor is not logged in then nothing is returned. 
            ' Only properly logged in users can retrieve their own permissions
            If currentUser.IsAuthenticated Then

                perms.Add(Permissions.SecurityAdministration,
                          currentUser.HasPermission(Permissions.SecurityAdministration))

                'elevate permissions temporarily
                currentUser.AddPermissions(Permissions.SecurityAdministration)

                For Each perm As Permission In ctx.DataWorkspace.SecurityData.Permissions()
                    If perm.Id <> Permissions.SecurityAdministration Then

                        perms.Add(perm.Id, currentUser.HasPermission(perm.Id))
                    End If
                Next
            End If
        End Using

        Return perms
    End Function

End Class

 

C#:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;
using Microsoft.LightSwitch.Server;
using Microsoft.LightSwitch.Security;
using Microsoft.LightSwitch.Security.Server;
using LightSwitchApplication;

namespace LightSwitchApplication.Perms
{
    public class UserPermissionsController : ApiController
    {
        // GET api/<controller>
        public Dictionary<string, Boolean> Get()
        {
            Dictionary<string, Boolean> perms = new Dictionary<string, Boolean>();

            using (ServerApplicationContext ctx = ServerApplicationContext.CreateContext())
            {
                var currentUser = ctx.Application.User;
                if (currentUser.IsAuthenticated)
                {
                    perms.Add(Permissions.SecurityAdministration,
                        currentUser.HasPermission(Permissions.SecurityAdministration));

                    currentUser.AddPermissions(Permissions.SecurityAdministration);

                    foreach (Permission perm in ctx.DataWorkspace.SecurityData.Permissions)
                    {
                        if (perm.Id != Permissions.SecurityAdministration)
                        {
                            perms.Add(perm.Id, currentUser.HasPermission(perm.Id));
                        }
                    }
                }
            }
            return perms;
        }
    }
}

Finally we need to add a route to our controller. Right-click on the server project again and add a Global Application Class (Global.asax) and add the following references at the top:

VB:

Imports System.Web.Http
Imports System.Web.Routing

C#:

using System.Web.Routing;
using System.Web.Http; 

Then in the Application_Start method add the route.

VB:

Sub Application_Start(ByVal sender As Object, ByVal e As EventArgs)
    ' Fires when the application is started
    RouteTable.Routes.MapHttpRoute("PermsApi", "Perms/{controller}")
End Sub

C#:

protected void Application_Start(object sender, EventArgs e)
{
    RouteTable.Routes.MapHttpRoute("PermsApi", "Perms/{controller}");
}

Retrieve the Permissions on the Client

Next we need to call this method from the client and save the data in a global object. On the LightSwitch HTML client there is a global object called myapp that we can use to store the permissions object. You can use the myapp object in a variety of ways in order to access data and screens in the HTML client. Check out some other uses here- How to: Modify an HTML Screen by Using Code

The handiest place to put the code to retrieve the permissions is in the created method on the first screen in our application. This is the first user method that will be called when the app starts and we can be sure that the LightSwitch client environment is ready.

Open the screen that is set as your Home screen (this is probably the first screen you created or you can right-click on a screen in the Solution Explorer and “Set as Home Screen”). Select the Screen node at the top of the content tree, drop down the “Write Code” button, and select the created method.

image

Here’s the code that will call the web API and return a JSON object with the permissions.

myapp.BrowseCustomers.created = function (screen) {
    // Write code here.
    $.getJSON("../Perms/UserPermissions/", function (data) {

        //attach the permissions to the global 'myapp' object 
        //so it is accessible to the client anywhere.
        myapp.permissions = data;
     });    
};

Put a breakpoint here and notice that the dictionary of permissions is returned when you run it.

image_thumb[5]

 

Check the Permissions in JavaScript Code

Now that we have the set of permissions on the client we can check permissions anywhere in our HTML screens by writing some simple JavaScript. In my example I want to enable/disable buttons on a screen depending on whether the user can add or edit Customers.

First take note of the control names you want to manipulate. In my case I have a couple buttons one named AddCustomer and another named EditCustomer.

image_thumb[6]

Just like before, select the Screen node at the top of the content tree, drop down the “Write Code” button, and select the created method for that screen. Then write code to check the permissions object:

if (myapp.permissions["LightSwitchApplication:CanAddCustomer"]) {
    screen.findContentItem("AddCustomer").isEnabled = true;
}
else {
    screen.findContentItem("AddCustomer").isEnabled = false;
}
if (myapp.permissions["LightSwitchApplication:CanEditCustomer"]) {
    screen.findContentItem("EditCustomer").isEnabled = true;
}
else {
    screen.findContentItem("EditCustomer").isEnabled = false;
}

Now we can see that buttons are correctly enabled & disabled based on the permissions.

image_thumb[8]

Wrap Up

LightSwitch is all about productivity and we strive to provide the best developer experience for building business apps as fast as possible. However we also want to allow advanced customization and power where and when you need it. Whether that’s implementing custom controls, data sources, web services, etc.  -- there is a lot of room for extensibility, especially in the latest version (V3) of LightSwitch in Visual Studio 2012 Update 2.

There are a lot of possibilities that are available to you now that we’ve opened up the LightSwitch API on the server using the ServerApplicationContext. Coupled with the ease of using Web API you can provide custom service interfaces to your LightSwitch server logic to provide smart, custom, RESTful HTTP services to a host of clients.

With this practical example, I hope I not only showed you how to retrieve user permissions but also gave you a glimpse of what is possible. Stay tuned to the LightSwitch Team blog for more examples like dashboards and reporting scenarios.

Enjoy!

Leave a Comment
  • Please add 6 and 5 and type the answer here:
  • Post
  • Hi, Is it possible to use this to restrict access to entire screens in a similar way to the destop client?

  • Beth thank you for all the documentation, I finally got past some breakpoints not getting hit. But now when I run this code.

    myapp.BrowseQryParcels.created = function (screen) {

       //alert("Hello World");

       // Write code here.

       $.getJSON("../Perms/UserPermissions/", function (data) {

           alert("Hello World 2");

           //attach the permissions to the global 'myapp' object

           //so it is accessible to the client anywhere.

           myapp.permissions = data;

           alert(myapp.permissions);

       });

    };

    When it gets to myapp.permissions = data; it shows as undefined. Any thoughts. I have followed and double check everything else in this post and it looks fine. I am running VS 2013 on Win 7 x64. Thoughts?

  • Hi Beth,

    Thanks for this. However might I point out that this implementation is flawed slightly. By only placing this on the startup screen, the myapp.permissions won't be populated if a user refreshes the browser on any other screen.

    Something we found out during a publish to live. Sad sad face goes here.

    Regards to the Team. Still really enjoying Lightswitch a lot, just not enjoying the lack of up-do-date documentation.

    Is there a way we can put unilateral pressure for you guys to get more resources for technical writing and useful msdn moderation (your current moderators just seem to mark the closest thing to an answer as an answer in many places and some people just don't bother responding to tell them its not the answer)? Release notes, official roadmap, updated api/dom docs, etc would be really useful. Version fail of msls2.5.0 was a small disaster too. Even the latest api client reference examples are flawed or out of date (e.g. implementation of handleviewdisposed). It would be foolish of the new big boss man not to throw some resources into this goldmine you guys are excavating.

    Besides the frustration researching troubleshoots, yeah, loving it :)

    Thanks and kind regards,

    Grant Clark

  • Hi Beth! I have a question.  I have a ODATA Connector and a separate light switch application which uses this Odata Connector. I need to set up permission on Odata connector ( like read and edit) so that it should reflect on my light switch app. any idea how to achieve this? I have researched many articles but could not get an idea. Please help.

  • Hi Beth,

    Great article on how to call a list of available permissions for currentUser really useful.

    I have one question,  after temporary elevating the user and going through the list of permissions to build your dictionary of permissions,  do you need to then do

    currentUser.RemovePermissions(Permissions.SecurityAdministration); ?   or does it clean up itself after this api method call?

    Your guidance is greatly appreciated.  : )

Page 2 of 2 (20 items) 12