Base solution for your next web application
Starts in:
01 DAYS
01 HRS
01 MIN
01 SEC
Open Closed

Restrict users to their own entities #3551


User avatar
0
zokho created

Hi, I have already put this question on [https://stackoverflow.com/questions/44937851/restrict-users-to-their-own-entities]) and have received a response but just thought that there might be a feature in the ASPZero product that would take care of it in the better way. Here is the question again: How can we restrict users to their own entities within the Framework? I know that we can check the session Id or include the currentSession in the LINQ query but I kind of wonder if the framework provides a better and efficient way to overcome this?

Regards,


4 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    If you want to show users only the entities created by that user, you can create a interface similar to IMustHaveTenant. Then if an entity implements this interface, you can filter CreatorUserId field with current session's userId (AbpSession.UserId).

    You can check this document for more information <a class="postlink" href="https://aspnetboilerplate.com/Pages/Documents/Data-Filters">https://aspnetboilerplate.com/Pages/Doc ... ta-Filters</a>

    Thanks.

  • User Avatar
    0
    zokho created

    Thanks for the response. I see what you mean by having a filter applied on showing results. But that does not really restrict users of only modifying their own entities as of someone can simply call an update API method and providing details of an entity which is for others. By the way is applicable in my case as i am using Entity Framework Core!

    Any chance that I could achieve it by defining an Attribute? I mean defining a custom Attribute to be applied on each API method, which checks if the user who is about to modify an entity is the owner of it. If was not then throw an error...

  • User Avatar
    0
    alper created
    Support Team

    the attribute approach will not rescue you from " someone can simply call an update API method and providing details of an entity which is for others"

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @zokho,

    Then, you can compare userId on session with the given entities CreatorUserId (or the one you added) when saving this entity in your DbContext's overriden ApplyAbpConcepts method and throw error if comparison fails.

    Is this approach good for you ?

    If you want to do it with an attribute, you will also need to retrieve the updating entity first to make this comparison.

    Thanks.