I have some problems getting the big picture of your design of Controllers, AppServices and the common Interface.
Let's take as a sample
interface IFooAppService
{
Task<FooDto> GetFooAsync(Guid id);
}
class FooAppService: IFooAppService {..}
class FooAppController: IFooAppService {..}
Maybe I have to solve the whole thing different. but lets considder my current situation:
In GetFooAsync() I want to restrict access to the API. As in the ASP.Net samples I want to ensure the Author is the same as the user. Therefore I have to get the entity, first.
where would I actually do my check? Obviously in the
AppServicebecause this is where I get my entity, first. (But ASP.Net Authorisation suggests to use theClaimsPrincipal. Therefore the Controller seems to be the place to write code: Like so:var authorizationResult = await _authorizationService.AuthorizeAsync(User, Document, Operations.Read);Consider the authorized check works like a snap. So, eventualy I have to branch with an
if(authorized)What would I do in the Forbidden case?
In good old Controller-Style I would return ForbidResult()
but due to the interface I cannot do that because the compiler does not let me return an ActionResult, if my interface Result is a FooDto
should I change to Task<IActionResult> ?
will it have any implications with the proper serialisation and the API generation abp generate proxy?
see https://docs.microsoft.com/en-gb/aspnet/core/security/authorization/resourcebased?view=aspnetcore-5.0
- ABP Framework version: v4.3.2
- UI type: Angular
- DB provider: EF Core
- Tiered (MVC) or Identity Server Separated (Angular): no
- Exception message and stack trace: --
- Steps to reproduce the issue:"--
4 Answer(s)
-
0
Hi,
https://docs.abp.io/en/abp/latest/Exception-Handling#http-status-code-mapping
You can throw an
AbpAuthorizationExceptionexception and ABP will handle it. -
0
Ok, works (by throwing any of the build in exceptinons) But is there a reason, why AbpAuthorizationException("messagetext") results in a generic message as "Internal server error" instead of "messagetext".
I get what I want, though, if I use UserFriendlyException()
-
0
seems like I get the "internal error message" only then, if my localisation does not work - odd
-
0
This is by design
