ABP Framework version: v9.1
UI Type: Angular
Database System: EF Core (SQL Server)
Tiered (for MVC) or Auth Server Separated (for Angular): yes
Exception message and full stack trace:
Steps to reproduce the issue:
Good day. I'm trying to create roles at the host level that can be applied to the host and tenant [we're referring to these as global tenant roles]. The goal is for these roles to be assignable to users of tenants. We've successfully implemented the permission logic by overriding the PermissionValueProvider. To achieve this, we disabled multitenancy within the provider and looped through the host-level roles assigned to the user, checking if the required permissions are granted. Here's the code snippet:
GlobalPermissionValueProvider : PermissionValueProvider
public override async Task<PermissionGrantResult> CheckAsync(PermissionValueCheckContext context)
{
var userId = context.Principal?.FindFirst(AbpClaimTypes.UserId)?.Value;
if (userId == null)
{
return PermissionGrantResult.Undefined;
}
using (dataFilter.Disable<IMultiTenant>())
{
var hostRoles = await userRepository.GetRolesAsync(new Guid(userId));
foreach (var role in hostRoles.Where(r => r.TenantId == null))
{
var isGranted = await PermissionStore.IsGrantedAsync(
context.Permission.Name,
RolePermissionValueProvider.ProviderName,
role.Name
);
if (isGranted)
return PermissionGrantResult.Granted;
}
}
return PermissionGrantResult.Undefined;
}
public override async Task<MultiplePermissionGrantResult> CheckAsync(PermissionValuesCheckContext context)
{
var result = new MultiplePermissionGrantResult();
foreach (var permission in context.Permissions)
{
var singleCheck = new PermissionValueCheckContext(permission, context.Principal);
var grantResult = await CheckAsync(singleCheck);
result.Result[permission.Name] = grantResult;
}
return result;
}
HttpApiHostModule.cs
Configure<AbpPermissionOptions>(options =>
{
options.ValueProviders.Add<GlobalPermissionValueProvider>();
});
When I view the permissions for a tenant user that is assigned one of these roles (Users> Right Click > Permissions), the permissions set on the host role are not checked and not disabled. It seems they are not inherited correctly.
My questions are the following: 1.) What should I look into to fix the issue with displaying inherited permissions at the user level in the UI? 2.) Is there a better or more standard way to implement this global role-permission behavior across tenants?
Thank you.
