Hi, Could you suggest how to implement field level permissions using ASP.NET Boilerplate framework?
For example: I have entity Customer with fields Name, Address, Email. Some users should have permissions to read/modify Email field values.
I know how to check current user permission and how to show/hide appropriated fields on view. But what about service endpoint methods?
It would be great to have one place to specify these permissions, may be by attributes on entity's fields:
[ReadPermission("Customer.Email.Read")]
[ModifyPermission("Customer.Email.Write")]
public string Email {get; set; }
Then I need to have methods to control read/update permissions on field level:
- Method to get list of entity's fields to read/modify by current user permissions:
string[] fields = Customer.Metadata.GetReadFields(User.Permissions);
- Method to ignore fields on retrieving list of entities:
_customerRepository.GetAllIncluding("Name", "Address");
- Method to ignore mapping field values at runtime on creating/updating entity:
var customer = customerInput.MapTo<Customer>("Name", "Address");
Thanks in advance!
1 Answer(s)
-
0
Hi,
ABP framework has not such a feature as you know. We are thinking to add such a feature in the long term, but it's not clear yet. I suggest you to implement it yourself.
"how to implement" suggestion is not easy to answer because we haven't designed or thought on it deeply. I believe this is a fairly generic topic and you can find some patterns on the web.
