Open Closed

Overriding Roles #7131


User avatar
0
aldhamdy created
  • ABP Framework version: v8.0.4
  • UI Type: Angular
  • Database System: EF Core (SQL Server)
  • Auth Server Separated (for Angular): yes
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

Dear Abp Team,

We want to have tow type of users (admins, customers),

  • admins: are users of company stuffs which permitted to use the angular back-office for managing business.
  • customers: are user who we register/collect a full KYC data of them and have separate table, and have there users linked to them in AbpUsers table (we extended the Abpusers and add cutomer_id column), also customer-user are designed to access the system via mobile app.

customer are enrolled via developed APIs which has many business rule like (KYC, ..etc). after customer enrolled they assigned to a specific group. Groups are acting like aggregate for many things ( allowed services, limits, fees, ...etc). we implement the following: 1- when admins create a group and link it with the allowed services, system create role with the same name of group and assign linked services permissions to this role. 2- when user added to group an event fired to give the customer-user the same role of group.

now we need to ensure the following: 1- admins can not change/delete the roles that have been created for group purposes. (except via our developed api Groups APIs) 2- admins can not add any user to those roles mentioned above. (except via our developed api Groups APIs) 3- customers-users can not login via angular/auth (the built-in apis) login page. (or if it possible to link users with a client_id, so how can we check this).

We are lookup for your support to implement the requirements with the best practices and methods.

Thanks & best regards,


1 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    when admins create a group and link it with the allowed services, system create role with the same name of group and assign linked services permissions to this role.

    You can create an event handler to subscribe to entity creation events to create roles: https://docs.abp.io/en/abp/latest/Local-Event-Bus

    For example:

    public class MyHandler
        : ILocalEventHandler<EntityCreatedEventData<YourGroupEntity>>,
          ITransientDependency
    {
        private readonly 
        public async Task HandleEventAsync(
            EntityCreatedEventData<YourGroupEntity> eventData)
        {
            // create role and assign permissions here.
            
            //...
        }
    }
    

    admins can not add any user to those roles mentioned above. (except via our developed api Groups APIs)

    Extend the IdentityRole by adding a new column to identify the role as a group role and override the IdentityUserAppService to filter data.

    For example:

    [ExposeServices(typeof(IdentityUserAppService))]
    public class MyIdentityUserAppService : IdentityUserAppService
    {
        public MyIdentityUserAppService(IdentityUserManager userManager, IIdentityUserRepository userRepository,
            IIdentityRoleRepository roleRepository, IOrganizationUnitRepository organizationUnitRepository,
            IIdentityClaimTypeRepository identityClaimTypeRepository,
            IdentityProTwoFactorManager identityProTwoFactorManager, IOptions<IdentityOptions> identityOptions,
            IDistributedEventBus distributedEventBus, IOptions<AbpIdentityOptions> abpIdentityOptions,
            IPermissionChecker permissionChecker,
            IDistributedCache<IdentityUserDownloadTokenCacheItem, string> downloadTokenCache,
            IDistributedCache<ImportInvalidUsersCacheItem, string> importInvalidUsersCache) : base(userManager,
            userRepository, roleRepository, organizationUnitRepository, identityClaimTypeRepository,
            identityProTwoFactorManager, identityOptions, distributedEventBus, abpIdentityOptions, permissionChecker,
            downloadTokenCache, importInvalidUsersCache)
        {
        }
    
        public override async Task<ListResultDto<IdentityRoleDto>> GetAssignableRolesAsync()
        {
            var roles = await base.GetAssignableRolesAsync();
            // Filter roles
        }
    }
    

    customers-users can not login via angular/auth (the built-in apis) login page. (or if it possible to link users with a client_id, so how can we check this).

    If you don't let them log in, then how do they use the app?

Made with ❤️ on ABP v9.1.0-preview. Updated on December 26, 2024, 06:07