hi
I found a new discuss, You can take a look https://github.com/abpframework/abp/issues/4448
I've seen this discussion before... The workaround with making PermissionDefinitionManager a ITransientDependency and using try-catch block looks like a last resort. @realLiangshiwei mentions an alternative - using "Refresh" method, but does not go into details. I wonder what does this "Refresh" method need to look like, probably this one would fit me: in my middleware I would need to "refresh" the list of static permissions so that static permissions would "see" a newly-added permission definition provider... But looking at the relevant ABP classes, I'm not sure what is the proper way to do that.
Hi, Masum. I have encountered two issues, which may be related. However, I have created a separate ticket for the second problem. This particular ticket addresses the following concern: I am unable to find a proper method to unsubscribe from API calls within my components after logging out. Despite logging out, the API calls continue to be invoked. I apologize if this thread appears confusing. I have been updating the ticket with additional information as I uncover more details and conduct further experiments in an attempt to resolve the issue.
My situation is not very especial: in fact, all I need is to retrieve per-tenant specific data from DB table and build permissions based on this data. How am I supposed to do that with either static or dynamic permissions?
I took a look at the static store implemenation and it looks like there's nothing I can do here:
public StaticPermissionDefinitionStore(
IServiceProvider serviceProvider,
IOptions<AbpPermissionOptions> options)
{
_serviceProvider = serviceProvider;
Options = options.Value;
_lazyPermissionDefinitions = new Lazy<Dictionary<string, PermissionDefinition>>(
CreatePermissionDefinitions,
isThreadSafe: true
);
_lazyPermissionGroupDefinitions = new Lazy<Dictionary<string, PermissionGroupDefinition>>(
CreatePermissionGroupDefinitions,
isThreadSafe: true
);
}
After the store is created, it uses CreatePermissionGroupDefinitions to generate the list of the available definition providers at the moment. This typically occurs when the host is started, before any authenticated app begins sending requests. Once this collection is established, it is not intended to be altered during runtime.
While it is possible to modify this behavior by overriding the class, doing so can introduce complexity and unpredictable consequences.
In the given situation I am ready to consider dynamic permissions usage. Could you please point me in right direction - how to use the CorePermissionDefinitionProvider(or its permissions) as dynamic permissions, not static ones? I've tried to find some info on ABP documentation site, but have not found anything relevant besides using boolean flag in the options indicating whether I want to use dynamic permissions.
Hi again. I've added the following middleware:
public class DynamicPermissionDefinitionMiddleware<T> where T : IPermissionDefinitionProvider
{
private readonly IOptions<AbpPermissionOptions> _permissionOptions;
private readonly RequestDelegate _next;
private bool _isAuthenticated;
public DynamicPermissionDefinitionMiddleware(RequestDelegate next, IOptions<AbpPermissionOptions> permissionOptions)
{
_next = next;
_permissionOptions = permissionOptions;
_isAuthenticated = false;
}
public async Task Invoke(HttpContext context)
{
if (context.User.Identity.IsAuthenticated && !_isAuthenticated)
{
_permissionOptions.Value.DefinitionProviders.Add(typeof(T)); //UPDATES DefinitionProviders as expected!
_isAuthenticated = true;
}
else if (!context.User.Identity.IsAuthenticated && _isAuthenticated)
{
_permissionOptions.Value.DefinitionProviders.Remove(typeof(T));
_isAuthenticated = false;
}
await _next(context);
}
}
into HttpApiHost project:
app.UseMiddleware<DynamicPermissionDefinitionMiddleware<CorePermissionDefinitionProvider>>();
Despite DefinitionProviders collection is filled as expected, the CorePermissionDefinitionProvider is not touched - even the constructor is not invoked (DisableConventionalRegistration is used to prevent trying ABP to add this provider automatically while the host is being loaded):
[DisableConventionalRegistration]
public class CorePermissionDefinitionProvider : PermissionDefinitionProvider
{
private readonly ICurrentUser _currentUser;
private readonly IServiceProvider _serviceProvider;
public CorePermissionDefinitionProvider
(
IServiceProvider serviceProvider,
ICurrentUser currentUser
)
{
_serviceProvider = serviceProvider; //NOT INVOKED!
_currentUser = currentUser;
}
...
}
What am I missing?
I know the basic principles of web app :) After all I see that there's no magic place to place this code. So I will need to use "if" guard condition inside a middleware checking if the request is authorized, so the permission definition provider can be added (once). I'm not closing the ticket yet: could be another questions coming along the way.
So the only place I can place the check is a middleware - meaning on each request "if [user is authenticated]"? I wanted to avoid this, but if there's no other place which is executed only once, I have no choice.
Sorry, it's not what I meant. I mean what is a suitable ABP code (handler, contributor, service method) which is executed once after the user has been successfully authenticated and which is not a part of Identity Server project?
Our solution is ALREADY a very customized (and we have not used dynamic permissions so far, I don't know what would turn out from this), so I am not afraid to experiment with static permissions. But anyway, I'd like to know the place where I can assign my per-tenant permissions. It needs to be a part of solution and invoked once after the user has been authorized. It must not happen in Identity Server project. As I see it, using a middleware is a bad choice, because the middleware Invoke method is get invoked on each request. Instead, I need to make it only once.
I have already overridden StaticPermissionDefinitionStore (for other task), so I can extend it with some new functionality.
But I need to understand how should I implement the task.
The aim is the following: there's configurable parameter in the database which can be different depending on the tenant and other things and in fact it determines the list of permissions.
So I need to read this parameter once the user is authenticated and his current tenant is known.
After this, I need to add just read permissions to the rest of permissions (and be able to assign them to roles as usual).
I know there are dynamic permissions in ABP, but I'd prefer not to make use of them.