Open Closed

Composite role implementation (role of roles) #4850


User avatar
0
alexander.nikonov created
  • ABP Framework version: v7.0.1
  • UI type: Angular
  • DB provider: EF Core
  • Identity Server Separated (Angular)

We would like to implement the logic which implies assigning permissions to a custom role, while such custom role in turn is assigned to a standard role of the system. Could you please advice how can we fulfil such task by means of ABP framework?


41 Answer(s)
  • User Avatar
    0
    alexander.nikonov created

    Sorry, cannot prepare the test project which would cover our functionality, it would take too much time.

    I've managed to resolve the permission issue, I guess. Probably it was caused by the scenario when a user has no user roles assigned - only his department's roles... I will get back to this part later probably.

    I guess it's ok, the Front-end loads permission grant datas from backend

    It does not look right now... Please have a look at whole chain:

    a) current user has "Role 1" assigned":

    b) "Role 1" is granted "CT;CTApli:DT~Modify" permission:

    c) Angular app does not see this permission (even though back-end check in the AbxRolePermissionValueProvideris ok - probably there is no direct connection between its result and what getGrantedPolicy returns at client-side) :

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    You can check the api/abp/application-configuration endpoint.

    It will return information about the current user, permission grant data, etc.

  • User Avatar
    0
    alexander.nikonov created

    There are no "MR" permissions there. I have the idea why. Meanwhile I'm going to create a separate package for optional adding Module Roles functionality to different projects. So the questions are:

    a) Is it possible to have all providers on ONE layer? Because currently they are split between "Domain" and "Application.Contracts" layers following ABP source code structure. Maybe I'm missing something:

    My idea is to enable this functionality in minimum of steps, i.e. just include the package to one layer (project) or to configure it in one place of one project (if possible);

    b) How to filter out this query? I don't want to show "MR" roles here:

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    A.

    I think there is no problem, but you need to make sure the startup project has its project reference and module dependency, otherwise, the application will not load the permission definitions.

    b

    You can override the repository to filter the roles.

    [ExposeServices(typeof(IIdentityRoleRepository))]
    public class MyEfCoreIdentityRoleRepository : EfCoreIdentityRoleRepository
    {
        public MyEfCoreIdentityRoleRepository(IDbContextProvider<IIdentityDbContext> dbContextProvider) : base(dbContextProvider)
        {
        }
        
        override .....
    }
    
  • User Avatar
    0
    alexander.nikonov created

    You can override the repository to filter the roles.

    This approach does not suit me well. I already use ABP EfCoreIdentityRoleRepository in many places of my solutions. I'd prefer to leave ABP EfCoreIdentityRoleRepository intact, but instead replace client-side ABP IdentityRoleService for specific component(s):

    I've tried to inherit this service, but bumped into the problem: for some reason ABP implementation uses arrow functions instead of prototype-level functions, so I cannot override them in my class:

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    You can replace the component with yours and use the your own service to get roles. https://docs.abp.io/en/abp/latest/UI/Angular/Component-Replacement

  • User Avatar
    0
    alexander.nikonov created

    You can replace the component with yours and use the your own service to get roles. https://docs.abp.io/en/abp/latest/UI/Angular/Component-Replacement

    I already use a DepartmentComponent instead of ABP OrganizationUnitsComponent. It generally "mimics" the ABP "Organization Units" component behavior.

    The problem is that when on "Roles" tab you click "Add Role" - modal component OrganizationRolesModalBodyComponent is shown which itself is NOT replaceable. It uses the following service to fill the list of roles:

    The only way to affect this list that I can see it to replace dependency-injected service IdentityRoleService. However, as I have written before, I don't know how to do it properly (if possible).

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    The only way to affect this list that I can see it to replace dependency-injected service IdentityRoleService. However, as I have written before, I don't know how to do it properly (if possible).

    Yes, you can do it, just:

    [ExposeServices(typeof(IdentityUserAppService))]
    public class MyIdentityRoleAppService : IdentityRoleAppService
    {
        public MyIdentityRoleAppService(IdentityRoleManager roleManager, IIdentityRoleRepository roleRepository, IIdentityClaimTypeRepository identityClaimTypeRepository) : base(roleManager, roleRepository, identityClaimTypeRepository)
        {
        }
    
        public override Task<PagedResultDto<IdentityRoleDto>> GetListAsync(GetIdentityRoleListInput input)
        {
            return base.GetListAsync(input);
        }
    
        public override Task<ListResultDto<IdentityRoleDto>> GetAllListAsync()
        {
            return base.GetAllListAsync();
        }
    }
    
  • User Avatar
    0
    alexander.nikonov created

    Thank you. Overriding AppService is ok too.

    Could you please tell me if it can be considered a bug?

    Why ABP allowed me to create two roles with the same name for null-tenant? ABPROLES does not have constraint for [TENANTID, NAME], but I can't figure it out how to make use of two roles with the same name for the same tenant...

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    I guess the IsDeleted field value of one of them is true

  • User Avatar
    0
    alexander.nikonov created

    I guess the IsDeleted field value of one of them is true Could be, I've deleted the duplicate and cannot check it out...

    The implementation is almost complete. I have the following question. Let's say my new Role Management page is located in Solution A which has this page in UI. However, I want to assign and revoke granted permissions for other Solutions, each of them has own PermissionDefinition. How to do that? Indeed, Solution A does not have references to another solutions, particularly. it does not have references to Solution B Application Contracts project, where definitions are described. So the "Role Management" page in Solution A does not list the permissions from Solution B and thus cannot assign or revoke them.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    See: https://github.com/abpframework/abp/pull/13644

    We added a dynamic permissions system in 7.0, solution A can also load permission definitions without referencing solution B. but they should use the same database.

  • User Avatar
    0
    alexander.nikonov created

    My teammate mentioned that "dynamic permissions" do not fit us for some reasons. I don't know the details yet, I will get back to this later.

    Meanwhile I have the following questions.

    I moved Module Role functionality into a separate solution which needs to be consumed in two different solutions, layer-by-layer: Domain.Shared, Domain, Application.Contracts, Application, EntityFramework Nuget packages, the same way as ABP solution looks like.

    a) ApplicationService layer traditionally contains some localized information:

    public class ModulePermissionAppService : ApplicationService, IModulePermissionAppService
    

    And I need to customize resource localization in the places like this:

    throw new BusinessException(DomainErrorCodes.NotFound, _stringLocalizer.GetString("Roles:RoleNotFound"));
    

    i.e. dependency-injected _stringLocalizer which is IStringLocalizer<SomeResource> needs to have different value in each case. For instance, IStringLocalizer<ResourceA> in one solution and IStringLocalizer<ResourceB> in another solution. How do I do that?

    b) I'd like to pass Authorization Permission class constants in some nice uniform way:

        [Authorize(THIS_NEEDS_TO_BE_CUSTOMIZED.Roles.Modify)] //
        public async Task DeleteRoleAsync(bool isModuleRole, Guid id, bool ignoreDeleted = false)
        
        [Authorize(THIS_NEEDS_TO_BE_CUSTOMIZED.Roles.Read)] //
        public async Task&lt;RoleDto&gt; GetRoleAsync(Guid id)
    
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    https://docs.abp.io/en/abp/latest/Localization#extending-existing-resource

    You can override existing localized text in different solutions

  • User Avatar
    0
    alexander.nikonov created

    https://docs.abp.io/en/abp/latest/Localization#extending-existing-resource

    You can override existing localized text in different solutions

    Thank you - I will try to make use of the including basic type into any empty resource class of ModulePermission class. Hope it will work out.

    Could you please let me know if it is possible to pass-through additional information of route (like this module ID) from Angular app somehow to a back-end?

    when I am loading the specific page via URL:

    or just navigating to the app https://localhost:4200 (and expecting to see only specific module ID-related pages in the menu)

    inside your method:

    public override async Task&lt;MultiplePermissionGrantResult&gt; CheckAsync(PermissionValuesCheckContext context)
    

    ? I need information about all module IDs (module ID matches Module Role, which contains permissions) for my Angular app pages to check out which of them are to be displayed / hidden.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    I think the main question about this ticket has been solved. Could you create a new question for others? Thanks. I'm closing this.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 01, 2024, 05:35