OutSystems roles - a lesson in always checking your assumptions
Almost 6 years it's been since I last tapped a keystroke about engineering, and that wasn't even a technical post. Wild how time flies.
New year, new me, new blogging platform, new ideas. As the kids say, LFG:
I've been working with OutSystems for about 10 years now. During that time, the platform has obviously changed a lot. There's at least one of those changes that led me to believe I had blipped between two universes in the singularity - a leading popular theory as to the reasoning behind the Mandela Effect. My own personal Mandela Effect was discovering that calling CurrDateTime() multiple times during a transaction would actually give you the current DateTime as opposed to the instance the current transaction had started. There are hundreds of unnecessary CommitTransactions out there left in the wake of my ignorance.
Most of the time these changes occur in our own timeline, though, and just happen to slip by unnoticed in the constant stream of release notes provided when the platform receives an update. As such, let me present to you:
The Assumption™:
Assessing roles at runtime, whether via the OutSystems User provider, GrantRole() and RevokeRole() actions, or direct metamodel manipulation, you must reset the user session by logging them out and back in for those role changes to take effect.
I am not crazy in this instance. After conferring with a number of other developers, tech leads, and architects, the broad consensus is that this has always been a truth you have to work around in OutSystems. If you are an OutSystems technical contributor, this almost certainly sounds, perhaps painfully, familiar. I am guessing you also resonate with the following sentence I uttered to my colleagues at our weekly meeting:
There is a miles-long trail of well-meaning but inevitably pointless workarounds that I've left in hundreds of projects for multiple clients in service of this assumption.
That's right - The Assumption™ is no longer valid. Don't believe me? Go try it for yourself! I actually discovered this while I was, once again, building a logout/login system to account for it. I had removed the role required to see a screen and found that when I attempted to navigate to the screen, I was immediately sent to the InvalidPermissions screen. It worked the same in reverse, allowing immediate access to new screens and features when I added a role in the User provider, all without cycling the user's session.
This revelation was so shocking I had to confirm what I was seeing with someone I know at OutSystems. Together we searched the platform release notes page on the OutSystems website looking for which recent version fixed this longstanding quirk, but we couldn't find it right away because it was not a recent version. This problem has been a non-problem since April 2020.
I am not the only person who has been developing around a non-existent issue for the last 5 years. I'd be willing to bet if you are still reading this article, you're like me: counting up the hours spent and wondering what lesson is to be gleaned from this experience. In my mind, it boils down to one prescient lesson and a handful of ideas.
The lesson is one I got from one of my high school science teachers, Mr. Maeckelbergh:
Never assume. When you assume, it makes an ass out of u and me.
Thank you, Mr. Maeckelbergh. Hope you read this one day. Truthfully though, while this is a good philosophy it doesn't mean terribly much in practice. As engineers, we need to know a lot and we have very little spare time to rifle through 100s of lines of release notes every few weeks when a new O11 platform version is released, let alone the myriad of other products we use daily in our work. Therefore I would say:
- As a community of engineers, developers, and contributors, let's make sure we vocally share things in the forums and our own platforms as we discover them.
- As a company and value-driver, I would like to see OutSystems offer a plain-language channel into exciting platform updates that meets developers where they are (perhaps in Service Studio?)
- As individuals, perhaps we should be reviewing the platform release notes from time to time, but perhaps and easier path would be to make sure we are subscribed to the update channels we already have access to like the Dev Newsletter, the OutSystems Youtube channel, and even their podcast, Decoded.
Oh, and also subscribe to me while you're at it! It's free, just like shamelessly plugging your own publication.
