Starts in:
0 DAY
13 HRS
29 MIN
45 SEC
Starts in:
0 D
13 H
29 M
45 S
Open Closed

Custom PermissionValueProvider in microservice project #7924


User avatar
0
WaelRazouk created
  • ABP Framework version: v8.1.1
  • UI Type: Angular
  • Database System: EF Core (SQL Server)
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

Continue of Dynamic permissions question but with more complex scenario.

I have the entities Risk, Plan, and Task with 1-n relation between them (Risk 1-n Plan) and (Plan 1-n Task). each entity has a property OwnerId which is related to users entity. Now regarding permission: if I assign the RisksPermission to some user, he should see all risks, but if another user is assigned as owner for a task or plan, he should see the related risks only (not the ones he is not part of). I managed to make this work in a monolith project as follows:

  • Define DynamicPermissionValueProvider with ProviderName = "D"
  • When user is assigned as owner for task or plan, grant this user RisksPermission using this dynamic provider (using IPermissionManager.SetAsync method)
  • When listing the risks: check if the user has the permission with RolePermissionValueProvider or UserPermissionValueProvider return all risks, if the permission is granted with DynamicPermissionValueProvider, filter the risks.

Now this approach is good for frontend (angular) when using requiredPolicy for RoutesService (if the user has the permission with any provider, he can see the risks menu item).

The problem of this approach with microservice project is that IPermissionManager is only provided in administration service and can't be used in other services.

How can I achieve this scenario in a microservice project.

Thanks in advance


10 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    They are using RemotePermissionChecker https://github.com/abpframework/abp/blob/rel-8.3/framework/src/Volo.Abp.AspNetCore.Mvc.Client.Common/Volo/Abp/AspNetCore/Mvc/Client/RemotePermissionChecker.cs#L8

    you can override it.

  • User Avatar
    0
    WaelRazouk created

    Hi, I checked it and couldn't figure out how to get the provider that is granting the required permission, it can only tell if the permission is granted or not. Also the methods are not defined virtual so couldn't override them

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    after my check,you can use IPermissionManager without any problem

  • User Avatar
    0
    WaelRazouk created

    I checked it and it works fine in the Api.Host project. How can I use it in the application layer? try to use IPermissionManager in the ProductService.Application project, it will not work directly. There is some dependency I need to add, can you tell what dependency or projects I need to add to make it work?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    yes ,you need to add some dependency.

    add Volo.Abp.PermissionManagement.Domain package and module dependency

  • User Avatar
    0
    WaelRazouk created

    Hi, I resovled package and module dependency, and was able to use IPermissionManager in my service, but faced another issue. I defined new DynamicPermissionManagementProvider extends PermissionManagementProvider and DynamicPermissionValueProvider extends PermissionValueProvider to grant some users some dynamic permissions. I was able to use the new provider and could see the granted permissions in the table AbpPermissionGrants in database. Also logged the result of getting the permission using this line of code:

    var granted = await _permissionManager.GetAsync(RisksManagementServicePermissions.Risks.Default, DynamicPermissionValueProvider.ProviderName, CurrentUser.Id.Value.ToString());
    

    And found that the permission is actually granted to the user using my provider. But from angular side, when sending application-configuration request (which includes in its response auth -> grantedPolicies to tell angular app current users' permissions, I don't see my permission granted!

    Any idea?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    But from angular side, when sending application-configuration request (which includes in its response auth -> grantedPolicies to tell angular app current users' permissions, I don't see my permission granted!

    You may need to custom the AbpApplicationConfigurationAppService service https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/ApplicationConfigurations/AbpApplicationConfigurationAppService.cs

  • User Avatar
    0
    WaelRazouk created

    Hi, I managed to make it work without any customization. The issue was that I defined my custom permission provider in another microservice, and the configuration request was redirected to administration service. When I moved the permission provider to administration service, it worked. Now I have a question related to some code that I needed to write:

    To add my provider I needed to write this code

    public override void ConfigureServices(ServiceConfigurationContext context)
    {
        // Other codes
        Configure<PermissionManagementOptions>(options =>
        {
            options.ManagementProviders.Add<DynamicPermissionManagementProvider>();
            options.ProviderPolicies[DynamicPermissionValueProvider.ProviderName] = AdministrationServicePermissions.Dashboard.Host;
        });
    
        Configure<AbpPermissionOptions>(options =>
        {
            options.ValueProviders.Add<DynamicPermissionValueProvider>();
        });
    }
    

    My question is about this line

     options.ProviderPolicies[DynamicPermissionValueProvider.ProviderName] = AdministrationServicePermissions.Dashboard.Host;
    

    Why is this needed? and does it matter what permission I provide for it?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    This is used for permission management

    Will check it when using IPermissionAppService to update/change/get permissions

  • User Avatar
    0
    WaelRazouk created

    Hi, Thank you. It's clear now

Made with ❤️ on ABP v9.1.0-preview. Updated on November 20, 2024, 13:06