- ABP Framework version: v8.3.1
- UI Type: MVC
- Database System: EF Core PostgreSQL
- Tiered (for MVC) or Auth Server Separated (for Angular): no
- Exception message and full stack trace:
- Steps to reproduce the issue:
I am looking to use the Identity and social login etc, but I would like to limit access to the Dashboard to only "admin" or some people who has a certain roles. Basically, I want the whole application to be more locked down and give users only access to specific things I code in AppServices. They should not be able to log in via the main dashboard, request password changes, nor being allowed to view their profile or change their profile, setup 2FA, access security logs, etc.
I am using the default OpenIddictApplications, and as mentioned, I want to use the whole stack about being able to log in via my own /connect/token or Social, but I really want them to be able to do only what I code, nothing in ABP UI.
How would I achieve this?
7 Answer(s)
-
0
hi
You can use
Role-based / Policy-basedauthorization to customize your page and controller permissions.https://learn.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-8.0&source=recommendations https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-8.0
https://github.com/abpframework/abp/pull/10152#issue-1007619207
-
0
I think you misunderstood my question. I am aware of how to add authorization/role/policy on my own controllers.
I want the default controllers from coming from ABP UI to be protected.
-
0
hi
You can set the permissions to the user to limit.
For controllers or pages that allow anonymity, you can only override them to add restrictions.
-
0
Thank you mailiming for your answer, but I came up to the same conclusion as you; I was looking for a little more code or more guidance on this.
Let's go with the direction you said
You can set the permission to the user to limit
OK..., currently my user has no permissions whatsoever. How could we, with code, prevent the user from using the dashboard? Your dashboard doesn't allow anonymity, it allows anybody who is logged in. Could I force all pages to be visible ONLY if someone is under 1 permission?
-
0
hi
The
Dashboardsource code in your project. Can you try to add[Authorize(Your_Permission_Name)].[Authorize(Your_Permission_Name)] public class HostDashboardModelAnd
AuthorizePageto specify razor page.Configure<RazorPagesOptions>(options => { options.Conventions.AuthorizePage("/Identity/Users/Index", Your_Permission_Name); }); -
0
Thank you for pointing me in the right direction. The first example didn't work, but I opted for the second one with blacklisting rather than whitelisting:
serviceCollection.Configure<RazorPagesOptions>(options => { options.Conventions.AuthorizeFolder("/", ABPPermissions.Dashboard); options.Conventions.AllowAnonymousToPage("/Account/Login"); options.Conventions.AllowAnonymousToPage("/Account/AccessDenied"); }); -
0
: )
