Open Closed

Adding property to the Permission object #8852


User avatar
0
nguyenngoc.son created

HI,
We're looking to add the moduleId property when we defined the permission using PermissionDefinitionProvider class. However the AddPermission method or AddChild method can not except new property.
Can you provide us some sample how we can do that?


5 Answer(s)
  • User Avatar
    1
    berkansasmaz created
    Support Team .NET Developer

    Hello,

    ABP allows you to extend permissions. You can add custom properties like below:

        var bookPermission = myGroup.AddPermission(AbpSolution2Permissions.Books.Default, L("Permission:Books"));
            bookPermission.WithProperty("moduleId", "CmsKit");
            
            bookPermission.AddChild(AbpSolution2Permissions.Books.Create, L("Permission:Create")).WithProperty("moduleId", "CmsKit");
    

    Then you can add your own PermissionValueProvider as a contributor as follows:

    ublic class ModulePermissionValueProvider : PermissionValueProvider
    {
        public override string Name => "ModuleUser";
        
        public ModulePermissionValueProvider(IPermissionStore permissionStore)
            : base(permissionStore)
        {
        }
    
        public override Task<MultiplePermissionGrantResult> CheckAsync(PermissionValuesCheckContext context)
        {
            var permissionNames = context.Permissions.Select(x => x.Name).ToArray();
    
            foreach (var permission in context.Permissions)
            {
                if (!CheckAsync(context.Principal, permission.Properties["module_id"]?.ToString()))
                {
                    return Task.FromResult(new MultiplePermissionGrantResult(permissionNames, PermissionGrantResult.Prohibited));
                }
            }
    
            return Task.FromResult(new MultiplePermissionGrantResult(permissionNames, PermissionGrantResult.Granted)); 
        }
    
       
    
        public override Task<PermissionGrantResult> CheckAsync(PermissionValueCheckContext context)
        {
            var moduleId = context.Permission.Properties["module_id"]?.ToString();
            if (moduleId.IsNullOrEmpty())
            {
                return Task.FromResult(PermissionGrantResult.Undefined); 
            }
            
            if (!CheckAsync(context.Principal, context.Permission.Properties["module_id"]!.ToString()))
            {
                return Task.FromResult(PermissionGrantResult.Prohibited);
            }
    
            return Task.FromResult(PermissionGrantResult.Granted);
        }
        
        private bool CheckAsync(ClaimsPrincipal? principal, string? moduleId)
        {
            if (moduleId.IsNullOrEmpty() || principal == null)
            {
                return false;
            }
    
    
            return principal!.HasClaim(x => x.Type == moduleId);
        }
    }
    

    Once a provider is defined, it should be added to the AbpPermissionOptions as shown below:

    Configure<AbpPermissionOptions>(options =>
    {
        options.ValueProviders.Add<ModulePermissionValueProvider>();
    });
    
    

    See more: https://abp.io/docs/latest/framework/fundamentals/authorization#permission-value-providers

    **Disclaimler: ** This code is not recommended for direct use in a production environment. It was created just to give an idea, you can customize it according to your own needs.


  • User Avatar
    0
    hariom.mall@tasconnect.com created

    Hi ABP.IO Support Team,

    Thank you for your response!

    Our goal is to establish a single permission set that applies across multiple LOBs/modules.

    Here’s the scenario:

    Permission: Profile.Create
    Modules/LOBs: Buyer, Supplier

    User A: Has permission to create a profile in the Buyer module only.
    User B: Has permission to create a profile in both the Buyer and Supplier modules.

    We need your help us to provide some sample code for Backend and Frontend.

    Could you please advise on the best approach to implement this?

    Thank you!

  • User Avatar
    0
    hariom.mall@tasconnect.com created

    Hello,

    ABP allows you to extend permissions. You can add custom properties like below:

        var bookPermission = myGroup.AddPermission(AbpSolution2Permissions.Books.Default, L("Permission:Books")); 
            bookPermission.WithProperty("moduleId", "CmsKit"); 
             
            bookPermission.AddChild(AbpSolution2Permissions.Books.Create, L("Permission:Create")).WithProperty("moduleId", "CmsKit"); 
    

    Then you can add your own PermissionValueProvider as a contributor as follows:

    ublic class ModulePermissionValueProvider : PermissionValueProvider 
    { 
        public override string Name => "ModuleUser"; 
         
        public ModulePermissionValueProvider(IPermissionStore permissionStore) 
            : base(permissionStore) 
        { 
        } 
     
        public override Task<MultiplePermissionGrantResult> CheckAsync(PermissionValuesCheckContext context) 
        { 
            var permissionNames = context.Permissions.Select(x => x.Name).ToArray(); 
     
            foreach (var permission in context.Permissions) 
            { 
                if (!CheckAsync(context.Principal, permission.Properties["module_id"]?.ToString())) 
                { 
                    return Task.FromResult(new MultiplePermissionGrantResult(permissionNames, PermissionGrantResult.Prohibited)); 
                } 
            } 
     
            return Task.FromResult(new MultiplePermissionGrantResult(permissionNames, PermissionGrantResult.Granted));  
        } 
     
        
     
        public override Task<PermissionGrantResult> CheckAsync(PermissionValueCheckContext context) 
        { 
            var moduleId = context.Permission.Properties["module_id"]?.ToString(); 
            if (moduleId.IsNullOrEmpty()) 
            { 
                return Task.FromResult(PermissionGrantResult.Undefined);  
            } 
             
            if (!CheckAsync(context.Principal, context.Permission.Properties["module_id"]!.ToString())) 
            { 
                return Task.FromResult(PermissionGrantResult.Prohibited); 
            } 
     
            return Task.FromResult(PermissionGrantResult.Granted); 
        } 
         
        private bool CheckAsync(ClaimsPrincipal? principal, string? moduleId) 
        { 
            if (moduleId.IsNullOrEmpty() || principal == null) 
            { 
                return false; 
            } 
     
     
            return principal!.HasClaim(x => x.Type == moduleId); 
        } 
    } 
    

    Once a provider is defined, it should be added to the AbpPermissionOptions as shown below:

    Configure<AbpPermissionOptions>(options => 
    { 
        options.ValueProviders.Add<ModulePermissionValueProvider>(); 
    }); 
     
    

    See more: https://abp.io/docs/latest/framework/fundamentals/authorization#permission-value-providers

    **Disclaimler: ** This code is not recommended for direct use in a production environment. It was created just to give an idea, you can customize it according to your own needs.


    Thank you for your response!

    Our goal is to establish a single permission set that applies across multiple LOBs/modules.

    Here’s the scenario:

    Permission: Profile.Create
    Modules/LOBs: Buyer, Supplier

    User A: Has permission to create a profile in the Buyer module only.
    User B: Has permission to create a profile in both the Buyer and Supplier modules.

    We need your help us to provide some sample code for Backend and Frontend.

    Could you please advise on the best approach to implement this?

    Thank you!

  • User Avatar
    0
    hariom.mall@tasconnect.com created

    Hi Support Team,

    We are looking for your URGENT help on this.

    Regards,

    Hariom Mall

  • User Avatar
    0
    berkansasmaz created
    Support Team .NET Developer

    Hello,

    I understand the last need you mentioned, but it seems to be quite different from the first problem you mentioned. ABP's permission system is based on ASP.NET's policy based authorization. Therefore, you can solve this problem the same way you solve this problem in a regular ASP.NET application. However, I will still try to provide you with sample code as much as I can to give you an idea.

    You should define which modules a user can access and store it in the entity as below:

    public class UserModulePermission : Entity<Guid>
    {
        public Guid UserId { get; set; }
        public string PermissionName { get; set; }
        public string ModuleName { get; set; }   
    }
    

    Then, as I mentioned in my first answer, you need to create your own PermissionValueProvider and check whether the user has access to that module or not.


    Feel free to write if you have a specific problem while implementing it.

Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
Do you need assistance from an ABP expert?
Schedule a Meeting
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v9.2.0-preview. Updated on March 13, 2025, 04:08