It appears that in ABP authorization, if a user is a member of a role that is granted permission X, but doesn't have permission X granted directly on his user record, that the result is to deny X.
Is this correct? Shouldn't a user automatically inherit all the permissions for his assigned role(s)? In particular, if I later add a new new permission to a role, I would expect all the role members to be granted that permission. This doesn't seem to be the case now.
2 Answer(s)
-
0
After some further testing I notice that user permission inheritance from role does seem to work for users I create but is broken for the built-in "admin" account where I first noticed the unexpected behavior.
-
0
Hi,
I works a you expected. I could not repeat the problem. For simple test;
- I created a demo from aspnetzero.com
- Logged in, go to roles page
- Edit Admin role and removed a permission (for example, audit log page).
- Refresh the page and see that audit log page is removed from menu.
- Re-edit Admin role and added audit log page.
- Refresh the page and see that audit log page is in the menu.
Maybe you did not refresh the page (for SPA, it's needed since client caches permissions).
