Hi ASP.NET Zero team,
i am searching for a good approach - maybe something which is already implemented in some way - to control the access for users per entity. For example i have a custom entity "Company" and i want to assign users to allow working with that entity. Typical stuff like hiding in views, CRUD etc.
Is there something pre-build which i can re-use instead of reinventing the wheel?
Case is for example: 15 companies available. A user is authorized for a sub amount of them (i.e. 3). All the other entities should be hidden. The permissions/features are more - as i see them - to deactivate the entire area for companies, not a specific sub-amount of them.
Kind regards Michael
4 Answer(s)
-
0
I have been playing around with wanting to do this myself too and just havent had time. I dont believe there is anything done by the zero team yet.
My thoughts are 3 levels of permissions for an entity
- Any/All
- Owner/Admin
- Member (or user connected to entity)
So in principle you would setup CRUD permissions per each of the above EntityName.Any.Create EntityName.Any.Edit EntityName.Any.Delete
EntityName.Own.Edit EntityName.Own.Delete
EntityName.Member.Edit EntityName.Member.Delete
Then inherit from RepoBase with something like EntityPermissionCheckedRepositoryBase and overload/overwrite the repo methods you want to confirm permissions on for example if we had a Customer entity that had users who could view it (but not all users) you might have something like this
public override IQueryable<Customer> GetAll() { var query = base.GetAll(); if (!_permissionChecker.IsGranted(AppPermissions.Pages_Customers_Any)) { //if they cant see all then they are limited to ones they are a member of query = (from c in query join cu in Context.CustomerUsers on c.Id equals cu.CustomerId where cu.UserId == Context.AbpSession.UserId select c); } return query; }
So the above will get the normal query from standard repo base. If the user is not allowed to see all customers then it will add a where clause to the entity to join with a table that says who cant see what and select the customer entity at the finish. This will basically mean that anyone with the Any permission can see all, while those without can only see ones they are connected with. You could then potentially make this generic using interface types and you could even go as far as create a generic entity to replace CustomerUsers (store the entity type name and entity id) and it could map to any entity. For insert/update/delete type permissions you would need to inherit permission checker and expand it to pass in entity you are checking against then check like above and throw error or fail silently. You could also cache the check result to stop unnecessary round trips during those operations
Im not suggesting this is the right way to go and i certainly havent had time to flesh it out properly but its a way i was thinkgin about. You could use an entityframework filter too like they do with tenant id
-
0
A simple way is to associate your custom entities with one or more organisation units. Control access for users through organisation units.
-
0
Yes, this is the best option - OU. OU in combination with permissions = "perfect" control
-
0
Hi,
AspNet Zero doesn't offer a built-in solution for this. For a general solution OUs can be used, you can check https://aspnetboilerplate.com/Pages/Documents/Articles\How-To\add-custom-data-filter-ef-core for a sample implementation.
If that is just one place, you can manually implement that and it might have a better query performance.