Open Closed

Attribute roles to anonymous access (Guest) #1831


0
jfmeyers created

Hello,

In ABP, it's possible to assign roles and permissions only to users. Would it be possible to create a static roles with a name like "Guest" or "Anonymous" that will automatically be attributed to non-logged-in user?

We need to put AbpMvcAuthorize attribute ([AbpMvcAuthorize (PagesPermissionNames.PagesPageRead)]) on a controller and determine if the visitor can access or not to the page. The problem is that currently AbpMvcAuthorize check if the visitor is authenticated (AbpSession.UserId.HasValue in AuthorizationHelper, etc).

Thank you


6 Answer(s)
  • 0
    ismcagdas created
    Support Team

    Hi,

    I couldn't understand the case very well. Why do you need to add AbpMvcAuthorize attribute, if not logged in users are going to access this controller.

    Lets say that we accomplish your idea (assigned Anonymous role to not logged in users). How are you going to determine if a not logged in user have a Anonymous role or not ?

  • 0
    jfmeyers created

    Thank you for the reply.

    We are currently developing a CMS based on ABP. The same CMS is sold to different clients who have different needs.

    Example, we put a [AbpMvcAuthorize("Blog.Read")] on an action of a controller that allows the display of a blog. For some of our clients, the blog is accessible to everybody and for another clients blog is accessible only to certain users. So we need to indicate that a visitor (User or Anonymous) can access or not with permission "Blog.Read".

    In our case, we need that all not logged in user automaticaly have Anonymous role. With that we can adjust accessibility to part of our CMS directly in the back-office without changing code (remove the AbpMvcAuthorize).

    I do not know if i correctly express our needs. My English is not so good. Tell me if it's not clear.

    Thank you

  • 0
    ismcagdas created
    Support Team

    Hi,

    Thank you for your detailed explanation. In that case I suggest you to create a custom AbpMvcAuthorize filter which derives from AbpMvcAuthorize. You can check this comment to understand how to do it <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/1256#issuecomment-237463318">https://github.com/aspnetboilerplate/as ... -237463318</a>

    You also need to define a Feature for tenants which indicates whether anonymous users can read blog or not. (for example AllowAnonymousToReadBlog)

    In your custom filter, first check the value of feature for current tenant, then if the feature value is false, call base OnAuthorize method of base class.

    In this case you will check for user authorization when the AllowAnonymousToReadBlog feature value is false.

    Please let us know if you have any problems implementing this. Or if this is not a good solution for you.

  • 0
    Astech created

    Hi @ismcagdas

    Apologies for bringing up such an old thread. However, we are trying to do exactly what @jfmeyers was describing several years ago, and introduce a setting whereby tenants can Allow Public Access to just some areas.

    The easiest route we can see to achieving this is the create our own AbpAuthorizationFilter implementation which we have done:

    public class PublicIfSetMvcAuthorizeFilter : AbpAuthorizationFilter
    {
        ITenantSettingsAppService _tenantSettingsAppService;
    
        public CustomMvcAuthorizeFilter(IAuthorizationHelper authorizationHelper, IErrorInfoBuilder errorInfoBuilder, IEventBus eventBus, ITenantSettingsAppService tenantSettingsAppService) : base(authorizationHelper, errorInfoBuilder, eventBus)
        {
            _tenantSettingsAppService = tenantSettingsAppService;
        }
    
        public new async Task OnAuthorizationAsync(AuthorizationFilterContext context)
        {
            var setting = await _tenantSettingsAppService.GetAllowPublicAccessSettingAsync();
    
            if (setting.AllowPublicAccess)
    	    return;
    
            await base.OnAuthorizationAsync(context);
        }
    }
    

    We are then hoping to use a Custom MvcAuthorizeAttribute to mark methods that allow public access (when the setting is set to true) while leaving other methods using the original AbpMvcAuthorize which will always require the specified permission. For example:

    [PublicIfSetMvcAuthorizeAttribute(AppPermissions.Pages_Teams)]
    public ActionResult Index()
    {
        // If the global "Allow public access" setting is true, anyone can get here. Else, only allow people with AppPermissions.Pages_Teams allowed
    }
    
    [AbpMvcAuthorize(AppPermissions.Pages_Teams)]
    public async Task<PartialViewResult> CreateOrEditTeamModal(int? id)
    {
         // Only allow people with AppPermissions.Pages_Teams allowed
    }
    

    We have created the PublicIfSetMvcAuthorizeFilter (as above). We have also created the PublicIfSetMvcAuthorizeAttribute:

    public class PublicIfSetMvcAuthorizeAttribute : AbpMvcAuthorizeAttribute
        {
            public PublicIfSetMvcAuthorizeAttribute(params string[] permissions)
            {
                Permissions = permissions;
            }
        }
    

    How do we set our new attribute so that it uses our new filter, while still leaving the original attribute using the original filter? At the moment when we use our new attribute it simply applies the original filter still.

    Many thanks in advance,

  • 0
    Astech created

    Hi @ismcagdas,

    I wondered if you've had chance to take a look at this please?

    I think we are very close and would be very greatful if you could cast your eye over what we are doing.

    Thank you very much

  • 0
    Astech created

    Anyone?