Query On Role Assignment - Identity Module #2500 | Support

arbasu@microsoft.com created 3 years ago

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

If you're creating a bug/problem report, please include followings:

ABP Framework version: v4.4
UI type: Angular
DB provider: EF Core
Tiered (MVC) or Identity Server Separated (Angular): yes (identity server separated) Angular
Exception message and stack trace:
Steps to reproduce the issue:"

Create a Role : Owner Assign Permissions: For User Management

Assign a User (U1) to the role Owner.

Now when this user U1, adds/edits any other user U2, he/she is able to assign other roles like Admin to U2.

We dont want this behavior. An owner can assign any other non-admin roles but not admin role. How can we achieve this out of the box? Also we have made the roles non-default and non-public, still those are visible to users.

<br>

enisn created 3 years ago

Support Team .NET Developer

As a logic you're right. It can be a business logic such as you mentioned. But currently, ABP doesn't implement that kind of logic.

The shortest way to perform that operation is overriding IdentityUserAppService

[Dependency(ReplaceServices = true)]
public class MyCustomIdentityUserAppService : IdentityUserAppService
{
    public MyCustomIdentityUserAppService(
        IdentityUserManager userManager, 
        IIdentityUserRepository userRepository, 
        IIdentityRoleRepository roleRepository, 
        IOptions<IdentityOptions> identityOptions) : base(userManager, userRepository, roleRepository, identityOptions)
    {
    }

    public override async Task<ListResultDto<IdentityRoleDto>> GetAssignableRolesAsync()
    {
        var roles = await base.GetAssignableRolesAsync();
        
        if (/* Your condition.*/) // CurrentUser.UserName == "admin"
        {
            var customRoleList = roles.Items.ToList();
            customRoleList.Remove(roles.Items.FirstOrDefault(x => x.Name == "admin"));

            return new ListResultDto<IdentityRoleDto>(customRoleList);
        }

        return roles;
    }
}```

arbasu@microsoft.com created 3 years ago

So just to summarize, does this mean, we need to define a custom ui and integrate the same with a custom service. This custom service will override the logic by inheriting IdentityUserAppService (as you mentioned above).

is that the case?

enisn created 3 years ago

Support Team .NET Developer

No, you don't need to define a custom UI. Just override only IdentityUserAppService, and the existing UI will use the same endpoint. You'll just add some custom logic for existing AppService logic.