Hi Guys,
I'm in the process of setting up editions, and creating and implementing features for the editions.
I'm currently trying to restrict access to certain views/app services based on needing to have a required feature. Using the following implementations:
featureDependency: new SimpleFeatureDependency(true, "App.AppBuilder")
I can hide menu items
[RequiresFeature("App.AppBuilder")]
or
if (await FeatureChecker.IsEnabledAsync("App.AppBuilder")) { throw new AbpAuthorizationException("You don't have this feature: App Builder"); }
I can restrict access to an MVC controller or App Service.
These work well and out of the box for tenant users, however, I am finding that host users get blocked from the controllers that have these feature checks implemented on them.
Do I need to implement the checks differently or is there some additional code that I need to add that allows host users access to feature restricted areas without having an edition assigned?
Thanks, David
6 Answer(s)
-
0
Hi @davidharrison,
AuthorizationHelper
does not skip Host User when checking for features.I have created a PR for it. If you are need the fix urgently, you can apply the changes in your project by replacing
AuthorzationHelper
with your ownMyAuthorizationHelper
See https://github.com/aspnetboilerplate/aspnetboilerplate/pull/4117
-
0
My answer: https://github.com/aspnetboilerplate/aspnetboilerplate/pull/4117#issuecomment-449702794
I think a method with
[RequiresFeature]
attribute is not ideal to share between a tenant and a host user. There should be two use cases (application service methods or different application services) normally. I suggest you to reconsider your design. -
0
@ryancyq & @hikalkan thank you both for your responses and your discussion on the pull request.
The idea behind our use-case is that as the host, we define the application editions and specify the features each edition has. Tenants then being assigned different editions thus get access to various features as defined by the assigned edition. As the host, having access to all of the platforms features is beneficial because we can test functionality, check that it's working after updates, etc. myself as a developer of our app, I use a host user account, and our automated functional testing also uses a host user account, and both of these are done this way because they have access to all features and functions of the app. This is however majorly disrupted if blocked by the feature checkers.
Another point for consideration is that features restricted by the features system, may not be, and in our application, certainly aren't, exclusively designed to work only for tenant users. A host user using a given feature doesn't change the operation or outcome of the feature, even though it has a null tenant id.
However, if the status quo remains, and feature checking is left as a tenant only scope, one thing that would be very beneficial to future devs, would be explicit exception messages. Currently, a feature checker on an MVC controller returns a 500 error, and on an application service, also returns a 500 error but is caught by error handling and thus displays the generic "An internal error occurred during your request!"
Thanks, David
-
0
@davidharrison I understand your case. I still believe most of the application service method with
[RequiresFeature]
attribute will not work as expected if we allow a host use to call it. However, there may be cases like yours. The best we can do is to define a option likeIgnoreFeatureCheckForHostUsers
to multi-tenancy configuration and you can enable your own application.However, what about permissions? If the method with
[RequiresFeature]
attribute has alsoAbpAuthorize
attribute with a permission name, it can not be called by a host user without given permission. -
0
@hikalkan thank you for your response.
Something like
IgnoreFeatureCheckForHostUsers
would be amazing to have, so that we have the option of allowing host users through feature checks.As for permissions, if I am understanding you correctly, we've had no issues with
AbpAuthorize/AbpMvcAuthorize
attributes on classes/methods as host users, as the host users have roles and permissions assigned and can access authorised areas without issue.Having both a permission check and a feature check on a given class/method shouldn't be an issue for a host user so long as the feature check can be bypassed and they have the right permission assigned?
-
0
I created an isue for this: https://github.com/aspnetboilerplate/aspnetboilerplate/issues/4151