HI,
We're looking to add the moduleId property when we defined the permission using PermissionDefinitionProvider class. However the AddPermission method or AddChild method can not except new property.
Can you provide us some sample how we can do that?
5 Answer(s)
-
1
Hello,
ABP allows you to extend permissions. You can add custom properties like below:
var bookPermission = myGroup.AddPermission(AbpSolution2Permissions.Books.Default, L("Permission:Books")); bookPermission.WithProperty("moduleId", "CmsKit"); bookPermission.AddChild(AbpSolution2Permissions.Books.Create, L("Permission:Create")).WithProperty("moduleId", "CmsKit");Then you can add your own
PermissionValueProvideras a contributor as follows:ublic class ModulePermissionValueProvider : PermissionValueProvider { public override string Name => "ModuleUser"; public ModulePermissionValueProvider(IPermissionStore permissionStore) : base(permissionStore) { } public override Task<MultiplePermissionGrantResult> CheckAsync(PermissionValuesCheckContext context) { var permissionNames = context.Permissions.Select(x => x.Name).ToArray(); foreach (var permission in context.Permissions) { if (!CheckAsync(context.Principal, permission.Properties["module_id"]?.ToString())) { return Task.FromResult(new MultiplePermissionGrantResult(permissionNames, PermissionGrantResult.Prohibited)); } } return Task.FromResult(new MultiplePermissionGrantResult(permissionNames, PermissionGrantResult.Granted)); } public override Task<PermissionGrantResult> CheckAsync(PermissionValueCheckContext context) { var moduleId = context.Permission.Properties["module_id"]?.ToString(); if (moduleId.IsNullOrEmpty()) { return Task.FromResult(PermissionGrantResult.Undefined); } if (!CheckAsync(context.Principal, context.Permission.Properties["module_id"]!.ToString())) { return Task.FromResult(PermissionGrantResult.Prohibited); } return Task.FromResult(PermissionGrantResult.Granted); } private bool CheckAsync(ClaimsPrincipal? principal, string? moduleId) { if (moduleId.IsNullOrEmpty() || principal == null) { return false; } return principal!.HasClaim(x => x.Type == moduleId); } }Once a provider is defined, it should be added to the AbpPermissionOptions as shown below:
Configure<AbpPermissionOptions>(options => { options.ValueProviders.Add<ModulePermissionValueProvider>(); });See more: https://abp.io/docs/latest/framework/fundamentals/authorization#permission-value-providers
**Disclaimler: ** This code is not recommended for direct use in a production environment. It was created just to give an idea, you can customize it according to your own needs.
-
0
Hi ABP.IO Support Team,
Thank you for your response!
Our goal is to establish a single permission set that applies across multiple LOBs/modules.
Here’s the scenario:
Permission: Profile.Create
Modules/LOBs: Buyer, SupplierUser A: Has permission to create a profile in the Buyer module only.
User B: Has permission to create a profile in both the Buyer and Supplier modules.We need your help us to provide some sample code for Backend and Frontend.
Could you please advise on the best approach to implement this?
Thank you!
-
0
Hello,
ABP allows you to extend permissions. You can add custom properties like below:
var bookPermission = myGroup.AddPermission(AbpSolution2Permissions.Books.Default, L("Permission:Books")); bookPermission.WithProperty("moduleId", "CmsKit"); bookPermission.AddChild(AbpSolution2Permissions.Books.Create, L("Permission:Create")).WithProperty("moduleId", "CmsKit");Then you can add your own
PermissionValueProvideras a contributor as follows:ublic class ModulePermissionValueProvider : PermissionValueProvider { public override string Name => "ModuleUser"; public ModulePermissionValueProvider(IPermissionStore permissionStore) : base(permissionStore) { } public override Task<MultiplePermissionGrantResult> CheckAsync(PermissionValuesCheckContext context) { var permissionNames = context.Permissions.Select(x => x.Name).ToArray(); foreach (var permission in context.Permissions) { if (!CheckAsync(context.Principal, permission.Properties["module_id"]?.ToString())) { return Task.FromResult(new MultiplePermissionGrantResult(permissionNames, PermissionGrantResult.Prohibited)); } } return Task.FromResult(new MultiplePermissionGrantResult(permissionNames, PermissionGrantResult.Granted)); } public override Task<PermissionGrantResult> CheckAsync(PermissionValueCheckContext context) { var moduleId = context.Permission.Properties["module_id"]?.ToString(); if (moduleId.IsNullOrEmpty()) { return Task.FromResult(PermissionGrantResult.Undefined); } if (!CheckAsync(context.Principal, context.Permission.Properties["module_id"]!.ToString())) { return Task.FromResult(PermissionGrantResult.Prohibited); } return Task.FromResult(PermissionGrantResult.Granted); } private bool CheckAsync(ClaimsPrincipal? principal, string? moduleId) { if (moduleId.IsNullOrEmpty() || principal == null) { return false; } return principal!.HasClaim(x => x.Type == moduleId); } }Once a provider is defined, it should be added to the AbpPermissionOptions as shown below:
Configure<AbpPermissionOptions>(options => { options.ValueProviders.Add<ModulePermissionValueProvider>(); });See more: https://abp.io/docs/latest/framework/fundamentals/authorization#permission-value-providers
**Disclaimler: ** This code is not recommended for direct use in a production environment. It was created just to give an idea, you can customize it according to your own needs.
Thank you for your response!
Our goal is to establish a single permission set that applies across multiple LOBs/modules.
Here’s the scenario:
Permission: Profile.Create
Modules/LOBs: Buyer, SupplierUser A: Has permission to create a profile in the Buyer module only.
User B: Has permission to create a profile in both the Buyer and Supplier modules.We need your help us to provide some sample code for Backend and Frontend.
Could you please advise on the best approach to implement this?
Thank you!
-
0
Hi Support Team,
We are looking for your URGENT help on this.
Regards,
Hariom Mall
-
0
Hello,
I understand the last need you mentioned, but it seems to be quite different from the first problem you mentioned. ABP's permission system is based on ASP.NET's policy based authorization. Therefore, you can solve this problem the same way you solve this problem in a regular ASP.NET application. However, I will still try to provide you with sample code as much as I can to give you an idea.
You should define which modules a user can access and store it in the entity as below:
public class UserModulePermission : Entity<Guid> { public Guid UserId { get; set; } public string PermissionName { get; set; } public string ModuleName { get; set; } }Then, as I mentioned in my first answer, you need to create your own PermissionValueProvider and check whether the user has access to that module or not.
Feel free to write if you have a specific problem while implementing it.
