Open Closed

Extend authorization module #7010


0
cbogner85 created

Hello,

I really like the way how authorization is implenented in ASP.NET Zero.

However, I need a more sophisticated way of granting permissions: I'm developing something similar to a a project management system, where tenants/ users can manage project files. The system is also feature-based (upload, download, edit, ...), but some features need to be in combination with project id. For example, user 1 has full access to project 1 but no access to project 2, user 2 has access to some features regarding project 1 and so on. Of course, I also need global permissions like 'create new projects' (actually this is possible with the current implementation).

When I look at AbpPermissions table in SQL Server, it seems that it's almost what I need, I only need to add more dimensions, i.e. ProjectId.

Is there a possbility to extend integrated authorization module to fulfil my needs?

Edit: Forgot to mention that I'm using ASP.NET Core & jQuery (current version 6.9.1)


6 Answer(s)
  • 1
    ryancyq created

    Hi, abp permission is designed to be action base permission (i.e. create new user/role, update user/role details, delete user/role) on User, Role levels only (currently it does not support enforcing a user to be ONLY able update/delete for CERTAIN users/roles)

    if you need permission control at per project level, then you should add UserId or RoleId to your project entity and implement a separate permission check for it.

  • 0
    cbogner85 created

    Hi,

    thanks for your quick reply.

    I'm currently upgrading an existing project from Classic ASP.NET (Webforms) to ASP.NET Zero and basically your suggestion is how I did it in the previous version. Where should this permission check take place in ASP.NET Zero to follow best practise? I'm quite new to ASP.NET Core and thought I could maybe extend/overload or "copy" abp permission to follow best practises.

    I also need to show/hide menu items based on custom permission checks.

    Thanks in advance Claus

  • 1
    ryancyq created

    Hi, the way to implements depends on the permission's granularity on your project entity.

    Abp permission only allow customisation of allowed/approval actions (e.g. CRUD) that a user can perform.

    If your business logic required permissions to be configured for different project entities and different user that assigned to it. You will not be able to reuse Abp permission, instead please use the approaches of creating ProjectPermission or ProjectAssignment (with permissions).

    Where should this permission check take place in ASP.NET Zero to follow best practise?

    Generally you can declare Abp permissions in your authorization provider, e.g.

    • AppPermissions.Pages_Project_Management
    • AppPermissions.Pages_Project_Management_Create
    • AppPermissions.Pages_Project_Management_Update
    • AppPermissions.Pages_Project_Management_Delete

    and use these for show/hide menu items based on custom permission checks

    As for project entity, you can create a seperate domain service (e.g. ProjectPermissionChecker) to handle CRUD permissions at project entity level.

  • 0
    cbogner85 created

    Thank you very much for your clear response.

    I'll try to implement it this way :)

    Just to clarify, my main menu also depends on project's permissions and items will change when a user switches between projects. That means, for some items I can't use AppPermissions approach to perform show/hide actions. Yet I have no idea how I will accomplish this, since .AddItem(...) in AppNavigationProvider only allows permissionDependency or featureDependency... initially I thought I could write something like this:

    menu .AddItem(new MenuItemDefinition( AppPageNames.Common.Project, L("UploadFiles"), permissionDependency: new ExtendedPermissionDependency(AppPermissions.Pages_Project_Upload, CurrentProjectId) )

    by creating my own "ExtendedPermissionDependency" class.

    Best regards Claus

  • 0
    ryancyq created

    Hi, the idea of creating your own permission dependency is good.

    However, it might require quite a bit of work to get current project id in permission context.

    you can consider checking for current project id in your own IUserNavigationManager instead

  • 0
    cbogner85 created

    Hi,

    great tip - that was easy to accomplish :)

    Thank you very much!