The existing XPath-based access rules don’t provide enough agility to control access to business objects. When we try to control each attribute individually the SQL query becomes huge and slow. Similarly, using conditional editability on client and doing the checks in all “Save” microflows requires too much manual work and duplication of code.
The possible solution would be to extend the existing java API with a user callback to post-process the retrieved list of MendixObject’s and new methods to override the object member readable/writable access.
There are already callbacks for “Create”, “Delete”, “Commit”, but there’s no for “Instantiate”. Also, trying to post-process each object individually could be slow so the new callback should receive the whole list of objects.
Such a callback would work not only for microflows, but also for direct XPath queries from the client and be transparent to the other business engineers.
Upd: looks like if using a Data Grid then MendixObject instances aren’t created. The list of DataRow is converted directly to JSON. It means that our callback should work on DataRow, not MendixObject.
Here’s the proposed API extension
// new interface to add
interface RefreshAccessListener {
void onDataRow(IContext context, IDataRow row);
// The following may be faster if the entity access is calculated for a batch:
// void onDataRows(IContext context, List<IDataRow> rows);
}
...
// inside java action
public static void registerMyListener() {
RefreshAccessListener l = new RefreshAccessListener() {
@Override
public void onDataRow(IContext context, IDataRow row) {
boolean writable = Core.retrieve...(context)...
row.overrideWriteAccess("attr1", writable );
row.overrideWriteAccess("attr3", writable );
}
};
Core.getListenersRegistry().registerRefreshAccessListener(l);
}