Hi
I understand that this template adds an interceptor for. .cshtml files to be rendered by asp.net mvc and returned to client.
I have a question related to securing razor views.
Is there a built-in way to show/hide views based on permissions? Also even if user tries to access view by typing in url to prevent him.
I'm trying to secure my views as I have a requirement some groups can access certain views others cannot.
I appreciate your assistance.
Regards Bilal
7 Answer(s)
-
0
It does not use interceptor, but has a very simple controller: <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/blob/dev/src/Abp.Web.Mvc/Web/Mvc/Controllers/AbpAppViewController.cs#L15">https://github.com/aspnetboilerplate/as ... ler.cs#L15</a>
Normally, you should not rely on hiding the view for security, but you should prevent data access. ABP has permission system for that. That means user may download a view but he can not see any real data, just HTML template. So, this is not a security issue. Think that you didn't use cshtml, but used plain html as angularjs views, how would you prevent users to download these htmls? In brief, you should assume that your html content can be downloadable without permission. The important thing is your data.
BTW, if you really want that, you can create a global MVC filter and check permissions for views, but ABP has no built-in system for that.
-
0
Great thanks for your feedback.
So better I assign permissions on what data user can view/edit rather than securing dummy views.
Does the permission checking system support permissions such that if user 1 has permission 1, the user can edit the data, otherwise, user 1 can only view? Is that something baked-in, or I have to develop on top?
Thanks
-
0
And one more thing, what's the added value of allowing Razor views with angular in a time you have to load separately since you cannot provide a model to a razor view in this case?
Thanks
-
0
Hi Bilal,
You need to use permisison system like this.
First hide the edit button in your view if user does not have the required permisison like here <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero/blob/dev/src/MyCompanyName.AbpZeroTemplate.Web/Areas/Mpa/Views/Users/Index.cshtml#L32">https://github.com/aspnetzero/aspnet-ze ... cshtml#L32</a>
Then you need to secure server side methods using same permisison like this <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero/blob/dev/src/MyCompanyName.AbpZeroTemplate.Application/Authorization/Users/UserAppService.cs#L267">https://github.com/aspnetzero/aspnet-ze ... ce.cs#L267</a> <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero/blob/dev/src/MyCompanyName.AbpZeroTemplate.Application/Authorization/Users/UserAppService.cs#L120">https://github.com/aspnetzero/aspnet-ze ... ce.cs#L120</a>
For your second question, you can use server side code in your cshtml views like the first link I provided in this post for checking user's permisison for showing the button.
-
0
Thanks for your help.
All links are "Page not found" can you find the correct link and send it pls?
Many thanks, Bilal
-
0
Now, you should be able to see links.
-
0
Yes, thanks a lot.