Open Closed

Auth: Implement Resource based Policy - Output a 404 Forbidden #1573


User avatar
0
rkoepferl created

I have some problems getting the big picture of your design of Controllers, AppServices and the common Interface.

Let's take as a sample

interface IFooAppService
{
    Task<FooDto> GetFooAsync(Guid id);
}

class FooAppService: IFooAppService {..}
class FooAppController: IFooAppService {..}

Maybe I have to solve the whole thing different. but lets considder my current situation:

In GetFooAsync() I want to restrict access to the API. As in the ASP.Net samples I want to ensure the Author is the same as the user. Therefore I have to get the entity, first.

  1. where would I actually do my check? Obviously in the AppService because this is where I get my entity, first. (But ASP.Net Authorisation suggests to use the ClaimsPrincipal. Therefore the Controller seems to be the place to write code: Like so: var authorizationResult = await _authorizationService.AuthorizeAsync(User, Document, Operations.Read);

  2. Consider the authorized check works like a snap. So, eventualy I have to branch with an if(authorized) What would I do in the Forbidden case?

In good old Controller-Style I would return ForbidResult() but due to the interface I cannot do that because the compiler does not let me return an ActionResult, if my interface Result is a FooDto

should I change to Task<IActionResult> ? will it have any implications with the proper serialisation and the API generation abp generate proxy?

see https://docs.microsoft.com/en-gb/aspnet/core/security/authorization/resourcebased?view=aspnetcore-5.0

  • ABP Framework version: v4.3.2
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no
  • Exception message and stack trace: --
  • Steps to reproduce the issue:"--

4 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    https://docs.abp.io/en/abp/latest/Exception-Handling#http-status-code-mapping

    You can throw an AbpAuthorizationException exception and ABP will handle it.

  • User Avatar
    0
    rkoepferl created

    Ok, works (by throwing any of the build in exceptinons) But is there a reason, why AbpAuthorizationException("messagetext") results in a generic message as "Internal server error" instead of "messagetext".

    I get what I want, though, if I use UserFriendlyException()

  • User Avatar
    0
    rkoepferl created

    seems like I get the "internal error message" only then, if my localisation does not work - odd

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    This is by design

Made with ❤️ on ABP v9.1.0-preview. Updated on December 05, 2024, 12:19