Open Closed

Turn off dashboard access for certain user #8168


User avatar
0
jean@groovejones.com created
  • ABP Framework version: v8.3.1
  • UI Type: MVC
  • Database System: EF Core PostgreSQL
  • Tiered (for MVC) or Auth Server Separated (for Angular): no
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

I am looking to use the Identity and social login etc, but I would like to limit access to the Dashboard to only "admin" or some people who has a certain roles. Basically, I want the whole application to be more locked down and give users only access to specific things I code in AppServices. They should not be able to log in via the main dashboard, request password changes, nor being allowed to view their profile or change their profile, setup 2FA, access security logs, etc.

I am using the default OpenIddictApplications, and as mentioned, I want to use the whole stack about being able to log in via my own /connect/token or Social, but I really want them to be able to do only what I code, nothing in ABP UI.

How would I achieve this?


7 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can use Role-based / Policy-based authorization to customize your page and controller permissions.

    https://learn.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-8.0&source=recommendations https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-8.0

    https://github.com/abpframework/abp/pull/10152#issue-1007619207

  • User Avatar
    0
    jean@groovejones.com created

    I think you misunderstood my question. I am aware of how to add authorization/role/policy on my own controllers.

    I want the default controllers from coming from ABP UI to be protected.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can set the permissions to the user to limit.

    For controllers or pages that allow anonymity, you can only override them to add restrictions.

  • User Avatar
    0
    jean@groovejones.com created

    Thank you mailiming for your answer, but I came up to the same conclusion as you; I was looking for a little more code or more guidance on this.

    Let's go with the direction you said

    You can set the permission to the user to limit

    OK..., currently my user has no permissions whatsoever. How could we, with code, prevent the user from using the dashboard? Your dashboard doesn't allow anonymity, it allows anybody who is logged in. Could I force all pages to be visible ONLY if someone is under 1 permission?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The Dashboard source code in your project. Can you try to add [Authorize(Your_Permission_Name)].

    [Authorize(Your_Permission_Name)]
    public class HostDashboardModel
    

    And AuthorizePage to specify razor page.

    Configure<RazorPagesOptions>(options =>
    {
        options.Conventions.AuthorizePage("/Identity/Users/Index", Your_Permission_Name);
    });
    
  • User Avatar
    0
    jean@groovejones.com created

    Thank you for pointing me in the right direction. The first example didn't work, but I opted for the second one with blacklisting rather than whitelisting:

    serviceCollection.Configure<RazorPagesOptions>(options =>
    {
        options.Conventions.AuthorizeFolder("/", ABPPermissions.Dashboard);
        options.Conventions.AllowAnonymousToPage("/Account/Login");
        options.Conventions.AllowAnonymousToPage("/Account/AccessDenied");
    });
    
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    : )

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09