I was wondering if I could get some help with permissions.
I want to create a Role where a user can view all users except Admin users. I want to create a manager role that can edit a "User" role but not even see "Admin" users. Is this possible and if so how would I be able to do it?
Awesome to hear. I am going to try and implement it myself as I am going through making other security enhancements.
For example, I would like to do something like this. <a class="postlink" href="http://www.jlum.ws/post/2014/5/27/user-lockouts-in-aspnet-identity-2-with-aspnet-mvc-5">http://www.jlum.ws/post/2014/5/27/user- ... pnet-mvc-5</a>
Since you use Asp.net Identity it should be possible. But I am confused on one part. In that article the three lines they add to the IdentityConfig.cs file I am wondering where something like that would go in Asp.net Zero project.
I would like to create some kind of user lockout feature after 5 or so unsuccessful login attempts. Do you have any suggestions on how to do this?
Still Trying to get this to work with the Dynamic Controllers, For the most part I have it working for all POST request except one. I ended up putting this line of code
config.headers['X-XSRF-Token'] = angular.element('input[name="__RequestVerificationToken"]').attr('value');
in the abp.ng.js file under the..
abpModule.config([
'$httpProvider', function ($httpProvider) {
$httpProvider.interceptors.push(['$q', function ($q) {
return {
'request': function (config) {
if (endsWith(config.url, '.cshtml')) {
config.url = abp.appPath + 'AbpAppView/Load?viewUrl=' + config.url + '&_t=' + abp.pageLoadTime.getTime();
}
//Anti Forgery Token
config.headers['X-XSRF-Token'] = angular.element('input[name="__RequestVerificationToken"]').attr('value');
return config;
},
As you can see here. This works for the most part to send the headers. But there is one service that runs right before this seems to be loaded. The service that fails without the header XSRF token is /api/services/app/session/GetCurrentLoginInformations. This must fire off before either abpModule.config is ran or the layout is loaded. The layout.cshtml is where I have the @Html.AntiForgeryToken() being generated.
Would you have any suggestions? This is hanging me up big time.
I decided not to inherit from AbpWebApiModule since I was unable to get it working with Castle Windsor. What I ended up doing is creating my own AbpWebApiCustomModule that only initialized my custom filter to validate the Anti-Forgery token. I then added this to be used like this in my CompanyWebAPIModule [DependsOn(typeof(AbpApiCustomModule), typeof(AbpWebApiModule)...
this all worked as I hoped it would but now I am having a different problem with having Angular to send the token as a header since ASP.NET creates a cookie called this __RequestVerificationToken and not X-XSRF-Token as Angular is looking for.
Doing something like this...
.run(function($http) { $http.defaults.headers.common['X-XSRF-Token'] = angular.element('input[name="__RequestVerificationToken"]').attr('value'); })
doesn't work either since you are wrapping the $http with a dynamic service. So I am unsure how to handle this for every Angular request.
Any ideas?
Sounds good. For now I am going to try and create my own WebApiModule that inherits from AbpWebApiModule and then override the Initialize() method and create my own IntializeFilters() private method that adds a ValidateAPIAntiForgeryTokenAtribute I create to validate these AntiForgery tokens.
I haven't finished this yet but I am hoping then in the WebAPIModule I will have it depend on the one that inherits from AbpWebApiModule and I am hoping it will use that attribute in the dynamic api controller builder.
It's just a concept right now but I will update it if works or not.
I just learned that AngularJS $http service reads a token from a cookie (it looks for XSRF-TOKEN and ASP.NET uses __RequestVerificationToken) then Angular will set it as an HTTP header (X-XSRF-TOKEN).
The documentation talks a bit about this here about half way down the page in the section labeled "Cross Site Request Forgery (XSRF) Protection" <a class="postlink" href="https://docs.angularjs.org/api/ng/service/$http">https://docs.angularjs.org/api/ng/service/$http</a>
Here is a good example how to do this in ASP.NET MVC or WebAPI. The problem is since you use the Dynamic WebAPI controllers for the Angular App I have no idea how to make this work for those. <a class="postlink" href="http://geekswithblogs.net/Frez/archive/2015/01/11/anti-forgery-tokens-with-angularjs-and-asp.net-web-api.aspx">http://geekswithblogs.net/Frez/archive/ ... b-api.aspx</a>
Any help would be greatly appreciated.
I was wondering if you figured out a way to automatically make Anti-Forgery mechanism as you suggested back in September of last year you were working on?
Oh yes I see that now. Thank you.