Hi,
Is it possible to link the current authorization concept with an additional table? Currently (single database - without tenantcy) has permissions, roles and user. We want to introduce a new table called location and link it with the current authorization structure.
yellow marked tables are already available in the initial framework. [attachment=0:2o7jns6y]Structure.png[/attachment:2o7jns6y]
The authorization concept with the new table location will provide the following possibility: UserA -- PermissionA -- LocationA UserA -- PermissionB -- LocationA UserA -- PermissionB -- LocationB UserA -- PermissionC -- LocationC UserB -- PermissionA -- LocationB
How can we realize this in the current ABP/netZero framework?
Currently the framework is checking the permission string. With our scenario we need and additional parameter: permission and location
3 Answer(s)
-
0
Hi,
I thought on that. The only way of doing it easily is to define permissions combined location + permission name. That means you can define permission names like that:
"LocationA" "LocationA_PermissionA" "LocationA_PermissionB" "LocationB" "LocationB_PermissionA" "LocationB_PermissionB"
Here, I defined 2 parent permissions and 4 child permissions of them. Then you can check if a user has granted for "LocationB_PermissionA" permission. Thus, you will not change any code and UI. Everything will work as expected.
If your locations are hard-coded, then this solution will work fine.
-
0
Hi,
This was also in my mind but the problem is, that the locations will be defined dynamically during runtime. Means, the client will get an application with one location setup by us. If he requests a additional location, we will just add an additional entry in the location table.
With your proposal we have to modify after every new location the source code to extend the permissions. :-(
Is there a another way?
Thank you
-
0
Permissions can be generated dynamically from database. To do that, you can inject a repository (like IRepository<Location>) to your AuthorizationProvider class and create permissions dynamically. Also, you should use PermissionChecker's Authorize or IsGranted methods to check permissions. You can not use [AbpAuthorize] attribute since as you know attributes can only get constants as parameter.
The only disadvantage is that: You should recycle your application on IIS after changing locations since permissions are created on startup.