Extend authorization module #7010
I really like the way how authorization is implenented in ASP.NET Zero.
However, I need a more sophisticated way of granting permissions: I'm developing something similar to a a project management system, where tenants/ users can manage project files. The system is also feature-based (upload, download, edit, ...), but some features need to be in combination with project id. For example, user 1 has full access to project 1 but no access to project 2, user 2 has access to some features regarding project 1 and so on. Of course, I also need global permissions like 'create new projects' (actually this is possible with the current implementation).
When I look at AbpPermissions table in SQL Server, it seems that it's almost what I need, I only need to add more dimensions, i.e. ProjectId.
Is there a possbility to extend integrated authorization module to fulfil my needs?
Edit: Forgot to mention that I'm using ASP.NET Core & jQuery (current version 6.9.1)
Hi, abp permission is designed to be action base permission (i.e. create new user/role, update user/role details, delete user/role) on
Rolelevels only (currently it does not support enforcing a user to be ONLY able update/delete for CERTAIN users/roles)
if you need permission control at per project level, then you should add
RoleIdto your project entity and implement a separate permission check for it.
thanks for your quick reply.
I'm currently upgrading an existing project from Classic ASP.NET (Webforms) to ASP.NET Zero and basically your suggestion is how I did it in the previous version. Where should this permission check take place in ASP.NET Zero to follow best practise? I'm quite new to ASP.NET Core and thought I could maybe extend/overload or "copy" abp permission to follow best practises.
I also need to show/hide menu items based on custom permission checks.
Thanks in advance Claus
Hi, the way to implements depends on the permission's granularity on your project entity.
Abp permission only allow customisation of allowed/approval actions (e.g. CRUD) that a user can perform.
If your business logic required permissions to be configured for different project entities and different user that assigned to it. You will not be able to reuse Abp permission, instead please use the approaches of creating
Where should this permission check take place in ASP.NET Zero to follow best practise?
Generally you can declare Abp permissions in your authorization provider, e.g.
and use these for
show/hide menu items based on custom permission checks
As for project entity, you can create a seperate domain service (e.g.
ProjectPermissionChecker) to handle
CRUDpermissions at project entity level.
Thank you very much for your clear response.
I'll try to implement it this way :)
Just to clarify, my main menu also depends on project's permissions and items will change when a user switches between projects. That means, for some items I can't use AppPermissions approach to perform show/hide actions. Yet I have no idea how I will accomplish this, since .AddItem(...) in AppNavigationProvider only allows permissionDependency or featureDependency... initially I thought I could write something like this:
menu .AddItem(new MenuItemDefinition( AppPageNames.Common.Project, L("UploadFiles"), permissionDependency: new ExtendedPermissionDependency(AppPermissions.Pages_Project_Upload, CurrentProjectId) )
by creating my own "ExtendedPermissionDependency" class.
Best regards Claus