Open Closed

AbpAuthorize attribute and Multitenancy #12


0
etshei created

Hi everyone,

First, thank you very much for this jewel, i hadn't used asp.net before but it was easy with your help :D . Second, i'm working on a hotel reservation project (multi-page mvc app) and i had to use areas (Admin and Front) and i used the multitenancy config to have 2 kind of users (admins and members). Everything works fine (i think) until the case that logged user that have a tenant = "Front" can access the admin area wher Tenant must be Admin (and vice-versa). So like you might have thought, i need to have the AbpAuthorize attribute verify the TenantId before anything.

Can anyone help me with this?

BTW, how can you get the logged in user. Right now i'm using this on the views:

Context.User.Identity.IsAuthenticated

Is there any method that retrieve the User object?

Thanks in advance. Abdessamad HAFIDI


3 Answer(s)
  • 0
    hikalkan created
    Support Team

    Hi @etshei,

    Thanks a lot. I hope you will use ABP much more :)

    First of all, you are in the wrong way. Multi-tenancy is not for that. This should be done with Roles and you should check permissions instead of tenants. Tenancy is completely different topic. If you want to deploy project into one hosting and single database, and two or more hotel will use it, then the answer is multi-tenancy. Thus, every hotel will be it's own admin panel and users. But, that's not your case.

    Define two roles: User and Admin. Define permissions to enter the pages. Then assign related permissions to roles. Then assign users to roles. Then check for permissions.

    Maybe it's hard you for now since I haven't documented module-zero yet. I will document it soon when I finish fundamental parts. For now, you can check the sample application: <a class="postlink" href="https://github.com/aspnetboilerplate/module-zero/tree/master/sample">https://github.com/aspnetboilerplate/mo ... ter/sample</a> even it's angularjs, it may help you.

    BTW, to get current user and tenant, inject IAbpSession (it's already injected if you derived from ApplicationService in application layer or AbpController in MVC) and get IAbpSession.UserId and IAbpSession.TenantId. Then you can inject IRepository<User> or IRepository<Tenant> and call Get(id) method.

  • 0
    etshei created

    so multitenancy is mainly (or even completely i guess) used for SAAS? i had it all wrong. I'll use roles/permissions as you've suggested, and affect them to my users.

    Thanks for the answer ;)

    BTW, CurrentSession is the name of the injected IAbpSession property in both the AbpController based controllers and ApplicationService based services if anyone needs it

  • 0
    hikalkan created
    Support Team

    Yes, it's for SaaS scenarios. Thanks for the information sharing ;)