Base solution for your next web application
Open Closed

IsGranted(permission) issue with multiTenancy enabled #3318


User avatar
0
kbe created

Scenario: We would like to associate each customer company with a tenant in order to bundle users and seperate access to data. We would like to define different permissions to protectect parts of a web page. We would like to reuse the roles across the different tenants.

Propose solution Tenant 1 used for customer a Tenant 2 used for customer b

Role A( TenantId NULL), Permission 1 (TenantId NULL) Role B( TenantId NULL), Permission 2 (TenantId NULL)

Customer a(TenantId 1), role A Customer b(TenantId 2), role A

When the 'customer a' user logs in, the isGranted(Permission 1) is always false unless a seperate role is created with the same TenantId as the customer user. (role, user, user account, and permission also needs to be associated with the same TenantId).

But this leeds to many roles covering the same permission(s), namely that each customer needs to have the same role defined to cover the same permission(s). Is there another way around this?? Maybe a isGranted method that does not take tenantId into account, but just checks that a user is associated to role with a permission, not using the tenantId filter?

I hope it makes sense :)

Cheers Kim


3 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    If you want that behaviour, you can override UserManager's IsGrantedAsync method and implement it as you like, see <a class="postlink" href="https://github.com/aspnetboilerplate/module-zero/blob/master/src/Abp.Zero/Authorization/Users/AbpUserManager.cs#L149">https://github.com/aspnetboilerplate/mo ... er.cs#L149</a>

    We didn't do it like that because each tenant can create custom roles as they want.

    Thanks.

  • User Avatar
    0
    kbe created

    Hi ismcagdas, Thanks for the reply. I have tried to override the functionality in UserManager, but invoking even simple things seems to result in a hanging process. E.g.

    public override Task<bool> IsGrantedAsync(long userId, Permission permission)
     {
       var permissionGrantInfo = this.AbpStore.GetPermissionsAsync(userId).Result;
       return base.IsGrantedAsync(userId, permission);
      }
    

    Is it illigal to call this.AbpStore.GetPermissionsAsync(userId).Result; in the UserManager? I have triede several other invocations, but they all end in a hanging process. Same behaviour in 1.5.x and 2.0.2.

    If I leave this in as the only code, then it works as normal. return base.IsGranted(...)

    Br Kim

  • User Avatar
    0
    kbe created

    The problem is a mistake in the signature of the overriding method. Namely a missing async.

    public override async Task<bool> IsGrantedAsync(long userId, Permission permission)
    {
    }
    

    Now, onto making the actual functionality in the IsGrantedAsync.

    Cheers