What is the difference between the AbpSession.ToUserIdentifier() vs UserManager.FindByIdAsync?
Which one is best to use?
Thanks in advance
27 Answer(s)
-
0
They serve very different purposes.
AbpSession.ToUserIdentifier()gets an instance ofUserIdentifierbased solely on the values in the claims.UserManager.FindByIdAsync(...)gets a tracked instance ofUserfrom the database. -
0
They return different return values and are also used for different functions.
-
0
Does UserManager hits database all the time or it caches results on memory?
Thanks
-
0
Default will not be cached. Of course, it depends on the specific ORM. If you feel that there is a performance issue, you can implement the caching feature yourself.
-
0
It gets a tracked instance from the database, so it hits the database.
Entity instances are not (and probably should not be) cached directly.
By the way, ASP<span></span>.NET Boilerplate is open source: https://github.com/aspnetboilerplate/aspnetboilerplate
-
0
I have a table X which references Tenant Table (each row has a TenantId)
I want to get contents of table that belong to Tenant that requested X table.
Which is best to use in terms of security
AbpSession.ToUserIdentifier() or UserManager.FindByIdAsync(...)Thanks
-
0
You can use Repositories https://aspnetboilerplate.com/Pages/Documents/Repositories
If you are not familiar with ABP and abp zero,The documentation will be your best tool. https://aspnetboilerplate.com/Pages/Documents/ http://docs.aspnetzero.com
-
0
Yes I know how to retrieve it.
What I am asking is when I do a where x.TenantId = tenantId; What shall I use the AbpSession.ToUserIdentifier().TenantId or the UserManager.FindByIdAsync(...).TenantId as tenantId.
In terms of security what is the correct approach?
-
0
TenantIdof user should not change.Also, ABP has built-in tenant data filters: https://aspnetboilerplate.com/Pages/Documents/Data-Filters#imusthavetenant
-
0
AbpSession.TenantIdcan be trusted. -
0
AbpSession.TenantId cannot be tampered or changed by the ?
-
0
ASP<span></span>.NET Core provides cookie middleware which serializes a user principal into an encrypted cookie and then, on subsequent requests, validates the cookie, recreates the principal and assigns it to the
Userproperty onHttpContext.References:
- https://aspnetcore.readthedocs.io/en/stable/security/authentication/cookie.html
- https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-2.2
- https://andrewlock.net/exploring-the-cookieauthenticationmiddleware-in-asp-net-core/
-
0
Thanks @aaron for your help. Have checked the IMayHaveTenant documentation.
I have one last question to that.
How does this affect performance? To use a filter it means whenever i request something from database using IRepository it intercepts request and adds TenantId. IMHO this results in performance penalty opposed to do it manually when requesting it (x.TenantId = user.TenantId)
-
0
No significant impact on performance. Linq queries are compiled and cached by EF Core.
-
0
I am not saying about the query execution. I was talking about how it intercepts and modify query when IMustHaveTenant is there.
-
0
Okay.
-
0
aaron I still dont understand how IMustHaveTenant works. Tried to read the documentation but it does not say much apart from
IMustHaveTenant defines the TenantId property to distinguish between different tenant entities. ASP.NET Boilerplate uses the IAbpSession to get the current TenantId by default and automatically filters the query for the current tenant.How does it work with Update and Insert methods. Cant find any example. Do I need to set TenantId when updating or inserting or IMustHaveTenant does it automatically? Also If I set it manually does IMustHaveTenant checks if that TenantId is the correct one when updating a record? -
0
Do I need to set TenantId when updating or inserting or IMustHaveTenant does it automatically?
ABP sets
TenantIdforIMustHaveTenantbut not forIMayHaveTenant.Also If I set it manually does IMustHaveTenant checks if that TenantId is the correct one when updating a record?
No, ABP does not check since it may be intended.
The documentation describes the behaviour. If you want to know every detail about how it is implemented, then you can read the source code. Both ABP and EF Core are open source.
-
0
ABP sets TenantId for IMustHaveTenant but not for IMayHaveTenant.I tried using IMustHaveTenant when calling Update method of the repository it and it does not set it. It actually throws an exception because value is 0.
-
0
Show the error message and stack trace.
-
0
This is my code:
[Table("TestOrder")] public class Order : Entity<long>, IMustHaveTenant { [Required] public string Name { get; set; } public string Description { get; set; } ..... [ForeignKey("TenantId")] public Tenant Tenant { get; set; } public int TenantId { get; set; } } [HttpPost] [AbpAuthorize(AppPermissions.Pages_Orders_Edit)] public async Task UpdateOrder(OrderInputDto input) { Order order = ObjectMapper.Map<Order>(input); await ordersTypeRepository.UpdateAsync(order); }and this is the error that I get:
An error occurred while updating the entries. See the inner exception for details. Microsoft.EntityFrameworkCore.DbUpdateException: An error occurred while updating the entries. See the inner exception for details. ---> MySql.Data.MySqlClient.MySqlException: Cannot add or update a child row: a foreign key constraint fails (`testfb`.`Order`, CONSTRAINT `FK_Order_AbpTenants_TenantId` FOREIGN KEY (`TenantId`) REFERENCES `AbpTenants` (`Id`) ON DELETE CASCADE) ---> MySql.Data.MySqlClient.MySqlException: Cannot add or update a child row: a foreign key constraint fails (`testfb`.`Order`, CONSTRAINT `FK_Order_AbpTenants_TenantId` FOREIGN KEY (`TenantId`) REFERENCES `AbpTenants` (`Id`) ON DELETE CASCADE) at MySqlConnector.Core.ServerSession.TryAsyncContinuation(Task`1 task) in C:\projects\mysqlconnector\src\MySqlConnector\Core\ServerSession.cs:line 1245 at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke() at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state) --- End of stack trace from previous location where exception was thrown --- at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot) --- End of stack trace from previous location where exception was thrown --- at MySqlConnector.Core.ResultSet.ReadResultSetHeaderAsync(IOBehavior ioBehavior) in C:\projects\mysqlconnector\src\MySqlConnector\Core\ResultSet.cs:line 42 --- End of inner exception stack trace --- at MySql.Data.MySqlClient.MySqlDataReader.ActivateResultSet(ResultSet resultSet) in C:\projects\mysqlconnector\src\MySqlConnector\MySql.Data.MySqlClient\MySqlDataReader.cs:line 74 at MySql.Data.MySqlClient.MySqlDataReader.ReadFirstResultSetAsync(IOBehavior ioBehavior) in C:\projects\mysqlconnector\src\MySqlConnector\MySql.Data.MySqlClient\MySqlDataReader.cs:line 299 at MySql.Data.MySqlClient.MySqlDataReader.CreateAsync(MySqlCommand command, CommandBehavior behavior, ResultSetProtocol resultSetProtocol, IOBehavior ioBehavior) in C:\projects\mysqlconnector\src\MySqlConnector\MySql.Data.MySqlClient\MySqlDataReader.cs:line 284 at MySqlConnector.Core.TextCommandExecutor.ExecuteReaderAsync(String commandText, MySqlParameterCollection parameterCollection, CommandBehavior behavior, IOBehavior ioBehavior, CancellationToken cancellationToken) in C:\projects\mysqlconnector\src\MySqlConnector\Core\TextCommandExecutor.cs:line 37 at Microsoft.EntityFrameworkCore.Storage.Internal.RelationalCommand.ExecuteAsync(IRelationalConnection connection, DbCommandMethod executeMethod, IReadOnlyDictionary`2 parameterValues, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken) --- End of inner exception stack trace --- at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.Internal.BatchExecutor.ExecuteAsync(DbContext _, ValueTuple`2 parameters, CancellationToken cancellationToken) at Pomelo.EntityFrameworkCore.MySql.Storage.Internal.MySqlExecutionStrategy.ExecuteAsync[TState,TResult](TState state, Func`4 operation, Func`4 verifySucceeded, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(IReadOnlyList`1 entriesToSave, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChangesAsync(Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.DbContext.SaveChangesAsync(Boolean acceptAllChangesOnSuccess, CancellationToken cancellationToken) at Abp.EntityFrameworkCore.AbpDbContext.SaveChangesAsync(CancellationToken cancellationToken) in D:\Github\aspnetboilerplate\src\Abp.EntityFrameworkCore\EntityFrameworkCore\AbpDbContext.cs:line 215 at Abp.Zero.EntityFrameworkCore.AbpZeroCommonDbContext`3.SaveChangesAsync(CancellationToken cancellationToken) in D:\Github\aspnetboilerplate\src\Abp.ZeroCore.EntityFrameworkCore\Zero\EntityFrameworkCore\AbpZeroCommonDbContext.cs:line 165 at Abp.EntityFrameworkCore.Uow.EfCoreUnitOfWork.SaveChangesInDbContextAsync(DbContext dbContext) in D:\Github\aspnetboilerplate\src\Abp.EntityFrameworkCore\EntityFrameworkCore\Uow\EfCoreUnitOfWork.cs:line 167 at Abp.EntityFrameworkCore.Uow.EfCoreUnitOfWork.SaveChangesAsync() in D:\Github\aspnetboilerplate\src\Abp.EntityFrameworkCore\EntityFrameworkCore\Uow\EfCoreUnitOfWork.cs:line 68 at Abp.EntityFrameworkCore.Uow.EfCoreUnitOfWork.CompleteUowAsync() in D:\Github\aspnetboilerplate\src\Abp.EntityFrameworkCore\EntityFrameworkCore\Uow\EfCoreUnitOfWork.cs:line 83 at Abp.Domain.Uow.UnitOfWorkBase.CompleteAsync() in D:\Github\aspnetboilerplate\src\Abp\Domain\Uow\UnitOfWorkBase.cs:line 273 at Abp.AspNetCore.Mvc.Uow.AbpUowActionFilter.OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next) in D:\Github\aspnetboilerplate\src\Abp.AspNetCore\AspNetCore\Mvc\Uow\AbpUowActionFilter.cs:line 49 at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeNextActionFilterAsync() at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Rethrow(ActionExecutedContext context) at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeInnerFilterAsync() at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeNextExceptionFilterAsync() -
0
Are you logged in as tenant? What is the value of
AbpSession.TenantId? -
0
Yes I am logged in. I found out what is the problem. IMustHaveTenant does not work for db Update operations. only for create, read and delete.
-
0
Yes, ABP only sets
TenantIdforIMustHaveTenantadded entities by design. If you set it to0and update it, then ABP doesn't stop you.Yes, ABP has built-in tenant data filters for read.
What do you mean by "work for ... delete"?
-
0
When someone call repository<TEntity>.Delete(id) where TEntity implements IMustHaveTenant it cannot delete that TEntity if it does not belong to him
-
0
That is because ABP reads the entity first.
-
0
Yes correct
