Yes, I can and it works. However, I'd prefer to mark the class with attribute like DisableConventionalRegistration
and be sure it is ignored everywhere. With this approach:
Configure<AbpPermissionOptions>(options =>
{
options.DefinitionProviders.Remove(typeof(PortalAccessPermissionDefinitionProvider));
})
I need to remember doing it in every project which uses the given class...
This approach works - I've already checked it before. But the problem is that I have hundreds of components, each of which has dozen of API calls. The components use base class which contains unsubscriber$ and it is used in ngOnDestroy
to be nullified and complete. Thanks to that, when I go to another component, any API anywhere is properly unsubscribed (takeUntil(this.unsubscriber$)
).
Making use of one more check means I need to add this filter(...)
in all those API calls. And this is not a very good approach, IMHO.... I'd prefer to make changes in the base class unsubscriber$ only - to cover logout scenario...
I think I've almost managed to do this. However, quick question. How to prevent PermissionDefinitionProvider
from being automatically handled by ABP? I've decorated it with DisableConventionalRegistration
. But this is not enough, because Static Store uses one more mechanism, Options.DefinitionProviders
, to read them. So in addition to DisableConventionalRegistration
I need to manually remove it from IPermissionOptions
DefinitionProviders
collection (something for ABP to think about).
But probably there's a more comfortable way to make ABP ignore the provider?
The requested service 'AbxEps.CT.Core.Permissions.PortalAccessPermissionDefinitionProvider' has not been registered. To avoid this exception, either register a component to provide the service, check for service registration using IsRegistered(), or use the ResolveOptional() method to resolve an optional dependency. Autofac.Core.Registration.ComponentNotRegisteredException: The requested service 'AbxEps.CT.Core.Permissions.PortalAccessPermissionDefinitionProvider' has not been registered. To avoid this exception, either register a component to provide the service, check for service registration using IsRegistered(), or use the ResolveOptional() method to resolve an optional dependency. at Autofac.ResolutionExtensions.ResolveService(IComponentContext context, Service service, IEnumerable
1 parameters) at Autofac.ResolutionExtensions.Resolve(IComponentContext context, Type serviceType, IEnumerable
1 parameters) at Autofac.ResolutionExtensions.Resolve(IComponentContext context, Type serviceType) at Autofac.Extensions.DependencyInjection.AutofacServiceProvider.GetRequiredService(Type serviceType) at AbxEps.CT.ModulePermission.ExtendedStaticPermissionDefinitionStore.<>c__DisplayClass17_0.<CreatePermissionGroupDefinitions>b__0(Type p) at System.Linq.Enumerable.SelectIListIterator2.ToList() at AbxEps.CT.ModulePermission.ExtendedStaticPermissionDefinitionStore.CreatePermissionGroupDefinitions() at System.Lazy
1.ViaFactory(LazyThreadSafetyMode mode) --- End of stack trace from previous location --- at System.Lazy`1.CreateValue() at AbxEps.CT.ModulePermission.ExtendedStaticPermissionDefinitionStore.get_PermissionGroupDefinitions() at AbxEps.CT.ModulePermission.ExtendedStaticPermissionDefinitionStore.GetGroupsAsync()
I understand that. And I see the code of StaticPermissionDefinitionStore
:
public StaticPermissionDefinitionStore(
IServiceProvider serviceProvider,
IOptions<AbpPermissionOptions> options)
{
_serviceProvider = serviceProvider;
Options = options.Value;
_lazyPermissionDefinitions = new Lazy<Dictionary<string, PermissionDefinition>>(
CreatePermissionDefinitions,
isThreadSafe: true
);
_lazyPermissionGroupDefinitions = new Lazy<Dictionary<string, PermissionGroupDefinition>>(
CreatePermissionGroupDefinitions,
isThreadSafe: true
);
}
I understand that I can override the method which creates the groups:
protected virtual Dictionary<string, PermissionGroupDefinition> CreatePermissionGroupDefinitions()
{
using (var scope = _serviceProvider.CreateScope())
{
var context = new PermissionDefinitionContext(scope.ServiceProvider);
var providers = Options
.DefinitionProviders
.Select(p => scope.ServiceProvider.GetRequiredService(p) as IPermissionDefinitionProvider)
.ToList(); // `CorePermissionDefinitionProvider` is still not known here - this list is created when `StaticPermissionDefinitionStore` singleton is instantiated, but prior to the moment the first request from client is sent
...
}
But how will it help me? The method determines the way to retrieve the providers, not the moment in time they are retrieved. This method is invoked when StaticPermissionDefinitionStore
singleton is instantiated: at this time I still don't have my CorePermissionDefinitionProvider
available - it's added to the collection only when the application is authenticated and sends the first authenticated request.
Probably I don't see something obvious?
Hi. I've used the Guard you provided and put breakpoint in canActivate
method. So when I click "Logout" - I'm being redirected... by the moment the breakpoint is fired, the hasValidAccessToken
is true and I'm landed to Home page (instead of Login page of Identity Server). If it is the problem of server-side - like the revocation is not done correctly or some token is not cleared or something else - I ask you to help me sort this out. I've put the fragment of the log from Identity Server above if it could come in handy. Unfortunately, I cannot send the project (it's commercial) or reproduce this on some test project (it would take a while trying to create such project). What I can do is to follow your instructions as for what to check and where.
hi
I found a new discuss, You can take a look https://github.com/abpframework/abp/issues/4448
I've seen this discussion before... The workaround with making PermissionDefinitionManager
a ITransientDependency
and using try-catch block looks like a last resort. @realLiangshiwei mentions an alternative - using "Refresh" method, but does not go into details. I wonder what does this "Refresh" method need to look like, probably this one would fit me: in my middleware I would need to "refresh" the list of static permissions so that static permissions would "see" a newly-added permission definition provider... But looking at the relevant ABP classes, I'm not sure what is the proper way to do that.
Hi, Masum. I have encountered two issues, which may be related. However, I have created a separate ticket for the second problem. This particular ticket addresses the following concern: I am unable to find a proper method to unsubscribe from API calls within my components after logging out. Despite logging out, the API calls continue to be invoked. I apologize if this thread appears confusing. I have been updating the ticket with additional information as I uncover more details and conduct further experiments in an attempt to resolve the issue.
My situation is not very especial: in fact, all I need is to retrieve per-tenant specific data from DB table and build permissions based on this data. How am I supposed to do that with either static or dynamic permissions?
I took a look at the static store implemenation and it looks like there's nothing I can do here:
public StaticPermissionDefinitionStore(
IServiceProvider serviceProvider,
IOptions<AbpPermissionOptions> options)
{
_serviceProvider = serviceProvider;
Options = options.Value;
_lazyPermissionDefinitions = new Lazy<Dictionary<string, PermissionDefinition>>(
CreatePermissionDefinitions,
isThreadSafe: true
);
_lazyPermissionGroupDefinitions = new Lazy<Dictionary<string, PermissionGroupDefinition>>(
CreatePermissionGroupDefinitions,
isThreadSafe: true
);
}
After the store is created, it uses CreatePermissionGroupDefinitions
to generate the list of the available definition providers at the moment. This typically occurs when the host is started, before any authenticated app begins sending requests. Once this collection is established, it is not intended to be altered during runtime.
While it is possible to modify this behavior by overriding the class, doing so can introduce complexity and unpredictable consequences.
In the given situation I am ready to consider dynamic permissions usage. Could you please point me in right direction - how to use the CorePermissionDefinitionProvider
(or its permissions) as dynamic permissions, not static ones? I've tried to find some info on ABP documentation site, but have not found anything relevant besides using boolean flag in the options indicating whether I want to use dynamic permissions.
Hi again. I've added the following middleware:
public class DynamicPermissionDefinitionMiddleware<T> where T : IPermissionDefinitionProvider
{
private readonly IOptions<AbpPermissionOptions> _permissionOptions;
private readonly RequestDelegate _next;
private bool _isAuthenticated;
public DynamicPermissionDefinitionMiddleware(RequestDelegate next, IOptions<AbpPermissionOptions> permissionOptions)
{
_next = next;
_permissionOptions = permissionOptions;
_isAuthenticated = false;
}
public async Task Invoke(HttpContext context)
{
if (context.User.Identity.IsAuthenticated && !_isAuthenticated)
{
_permissionOptions.Value.DefinitionProviders.Add(typeof(T)); //UPDATES DefinitionProviders as expected!
_isAuthenticated = true;
}
else if (!context.User.Identity.IsAuthenticated && _isAuthenticated)
{
_permissionOptions.Value.DefinitionProviders.Remove(typeof(T));
_isAuthenticated = false;
}
await _next(context);
}
}
into HttpApiHost project:
app.UseMiddleware<DynamicPermissionDefinitionMiddleware<CorePermissionDefinitionProvider>>();
Despite DefinitionProviders
collection is filled as expected, the CorePermissionDefinitionProvider
is not touched - even the constructor is not invoked (DisableConventionalRegistration
is used to prevent trying ABP to add this provider automatically while the host is being loaded):
[DisableConventionalRegistration]
public class CorePermissionDefinitionProvider : PermissionDefinitionProvider
{
private readonly ICurrentUser _currentUser;
private readonly IServiceProvider _serviceProvider;
public CorePermissionDefinitionProvider
(
IServiceProvider serviceProvider,
ICurrentUser currentUser
)
{
_serviceProvider = serviceProvider; //NOT INVOKED!
_currentUser = currentUser;
}
...
}
What am I missing?