Activities of "alexander.nikonov"
The problem is that this.router.config does not return lazy-loading routing module nodes where actually my data with moduleId resides.
It only returns the ordinary nodes.
You can still use the RoutesService to modify the menu anytime and anywhere in the app you can use it in the app.component.ts.
Hi. I am aware about this. But what I actually need is to retrieve information about data of my route items. As I mentioned, RoutersService does not provide this information.
I heard the idea of Permission Guard earlier in this thread and I wrote about it in my previous message:
However I've just checked out that canActivate is not triggered when I reload my root page
I.e. when I navigate to the root page (https://localhost:4200/) of the site (not a specific page) - this guard is not triggered. And the site menu is not checked against available module ID permissions, so all the pages are shown, even those which need to be hidden according to the available module ID permissions.
So I asked what needs to be overriden in the given case - definitely it is not a Permission Guard.
Actually I do not need "403" error if there is no permission: this is already handled by back-end method public override async Task<PermissionGrantResult> CheckAsync(PermissionValueCheckContext context)
What I need now is to HIDE the page if there is no permission assigned to its module ID. I prepared API call with module ID mappings which returns the following structure:
"moduleID1" => ["permissionA", "permissionX"],
"moduleID2" => ["permissionY", "permissionX"],
If the page has moduleId="moduleID1" and "permissionB" as a requiredPolicy, it needs to be hidden from the menu, since mapping for "moduleID1" does not contain "permissionB"
So I just need to know what is ABP code where I can put this check. Please, reply ASAP.
Probably it needs to happen inside this.route.visible$.subscribe(visibleRoute => { ... }) of app.component.ts, but I need to be sure there is one and only one place which controls menu item visibility and it does not make conflict with other relevant ABP code.
UPDATE: here is another problem - the ABP getters below do not store data attribute, so they do not return this information:
this.route.flat$.subscribe((flatRoute: ABP.Route[]) => {
//PROBLEM: flatRoute does not contain `data`, so we cannot retrieve `moduleId`
flatRoute.filter(x => x.requiredPolicy).forEach(routeItemWithPolicy => {
console.log(routeItemWithPolicy);
});
Thank you for reply.
However I've just checked out that canActivate is not triggered when I reload my root page, i.e. it is not responsible for showing/hiding menu items:
Question 1) what ABP service/method is actually used to decide what to show or hide in the menu?
Question 2) meanwhile to save time while waiting for your reply I decided to make a server method (the result is supposed to be cached in Angular client) which returns mapping between module IDs and their permissions. Is it a correct approach? I've tried to use PermissionAppService.GetAsync() directly inside the loop, but it is very slow:
public virtual async Task<Dictionary<string, IEnumerable<string>>> GetModuleRolePermissionMapAsync()
{
var moduleRoleNames = await _modulePermissionChecker.GetModuleRoleNamesAsync(CurrentTenant.Id, CurrentUser.Id, CurrentUser.IsAuthenticated);
var result = new Dictionary<string, IEnumerable<string>>();
using (CurrentTenant.Change(null))
{
var permissionGrants = await _permissionGrantRepository.GetListAsync();
result = moduleRoleNames.GroupJoin
(
permissionGrants.Where(pg => pg.ProviderName == RolePermissionValueProvider.ProviderName),
moduleRoleName => moduleRoleName,
permissionGrant => permissionGrant.ProviderKey,
(moduleRoleName, permissionGrants) => (moduleRoleName, permissionGrantNames: permissionGrants.Select(x => x.Name))
)
.ToDictionary(x => x.moduleRoleName, x => x.permissionGrantNames);
}
return result;
}
The mechanism we implemented is an advanced role permission check - with an intermediate layer added. It replaces the standard ABP role mechanism, so would be logically to override client-side permission check instead of adding something new (at back-end we replaced Role Provider). Moreover, we don't want to write a new guard from scratch, because most of the functionality of ABP PermissionGuard fits us.
So, is it possible to override PermissionGuard keeping in mind the following requirement:
considering the following route data for "Page 1":
{ moduleId: "Module 1", requiredPolicy: "Permission 1" }this page needs to be visible in the menu only if server finds "Permission 1" among all permissions assigned to "Module 1"
?
I see two problems here:
- even if I pass the collection of
moduleIdpresent in our route (using interceptor or whatever) and I will be able to read this information from request insidepublic override async Task<MultiplePermissionGrantResult> CheckAsync(PermissionValuesCheckContext context)- the output parameter signature for this method does not suppose something besides permission. It supposes the permission is either granted or not. In our case, the same permission may be granted to one module id (and then the corresponding page is shown) and revoked to another module id... - even I manage to adapt a modified
grantedPoliciesparameter for the overriden ABPPermissionServiceat client-side (I suppose this service makes decision if the specific page is shown in the menu), I am not sure I will make things work in general, probably you may tell me:
Record<string, boolean>needs to becomeRecord<string + string, boolean>("permission A" is granted or revoked for "module A")
UPDATE: what I have additionally discovered is that I cannot control ABP pages permissions - the pages which I have not overriden. It's weird or I'm missing something:
Permission check of such pages in custom PermissionValueProvider does not happen, i.e. CheckAsync is not triggered...
I've implemented Module Role conception. Module Role is bound to a Module ID, It's like a unique identifier of Angular app page. A Module Role is filled with ordinary permissions. At the same time, a group of Module Roles can be assigned to an ordinary role. This conception works as expected for per-page access, when a page is accessed via menu, because Module ID is passed to back-end and I can check if there specific page has three requested permissions.
However, it doesn't work properly when I load the app and expect to see only those pages in the menu whose Module ID has the required permission for this page.
So the question is how to pass-through additional information of route (like this module ID) from Angular app to a back-end:
when I load the specific page via URL:
or just navigating to the app https://localhost:4200 (and expecting to see only specific module ID-related pages in the menu)
to have it available in any possible way (via DI request object, etc.) inside your method:
public override async Task<MultiplePermissionGrantResult> CheckAsync(PermissionValuesCheckContext context)
?
https://docs.abp.io/en/abp/latest/Localization#extending-existing-resource
You can override existing localized text in different solutions
Thank you - I will try to make use of the including basic type into any empty resource class of ModulePermission class. Hope it will work out.
Could you please let me know if it is possible to pass-through additional information of route (like this module ID) from Angular app somehow to a back-end?
when I am loading the specific page via URL:
or just navigating to the app https://localhost:4200 (and expecting to see only specific module ID-related pages in the menu)
inside your method:
public override async Task<MultiplePermissionGrantResult> CheckAsync(PermissionValuesCheckContext context)
? I need information about all module IDs (module ID matches Module Role, which contains permissions) for my Angular app pages to check out which of them are to be displayed / hidden.
My teammate mentioned that "dynamic permissions" do not fit us for some reasons. I don't know the details yet, I will get back to this later.
Meanwhile I have the following questions.
I moved Module Role functionality into a separate solution which needs to be consumed in two different solutions, layer-by-layer: Domain.Shared, Domain, Application.Contracts, Application, EntityFramework Nuget packages, the same way as ABP solution looks like.
a) ApplicationService layer traditionally contains some localized information:
public class ModulePermissionAppService : ApplicationService, IModulePermissionAppService
And I need to customize resource localization in the places like this:
throw new BusinessException(DomainErrorCodes.NotFound, _stringLocalizer.GetString("Roles:RoleNotFound"));
i.e. dependency-injected _stringLocalizer which is IStringLocalizer<SomeResource> needs to have different value in each case. For instance, IStringLocalizer<ResourceA> in one solution and IStringLocalizer<ResourceB> in another solution. How do I do that?
b) I'd like to pass Authorization Permission class constants in some nice uniform way:
[Authorize(THIS_NEEDS_TO_BE_CUSTOMIZED.Roles.Modify)] //
public async Task DeleteRoleAsync(bool isModuleRole, Guid id, bool ignoreDeleted = false)
[Authorize(THIS_NEEDS_TO_BE_CUSTOMIZED.Roles.Read)] //
public async Task<RoleDto> GetRoleAsync(Guid id)
I guess the
IsDeletedfield value of one of them is true Could be, I've deleted the duplicate and cannot check it out...
The implementation is almost complete. I have the following question.
Let's say my new Role Management page is located in Solution A which has this page in UI. However, I want to assign and revoke granted permissions for other Solutions, each of them has own PermissionDefinition.
How to do that? Indeed, Solution A does not have references to another solutions, particularly. it does not have references to Solution B Application Contracts project, where definitions are described. So the "Role Management" page in Solution A does not list the permissions from Solution B and thus cannot assign or revoke them.
Thank you. Overriding AppService is ok too.
Could you please tell me if it can be considered a bug?
Why ABP allowed me to create two roles with the same name for null-tenant? ABPROLES does not have constraint for [TENANTID, NAME], but I can't figure it out how to make use of two roles with the same name for the same tenant...