Open Closed

Authorization, Roles and Permission issue with (Roles + User) level combined permissions. #1142


0
lalitChougule created
  • ABP Framework version: v3.0.4
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no / yes
  • Exception message and stack trace: N.A
  • Steps to reproduce the issue: N.A

Hi,

I am working with Authorization, Roles and Permission on Microservice architecture.

I have one role i.e. Anchor in which I have created few policies as below

  1. Supplier
  2. Supplier.Create
  3. Supplier.Edit
  4. Supplier.Delete
  5. Supplier.View

Case 1 : On my Role permission level i.e. Anchor I have only check box selected for Supplier Now I have one User i.e. Anchor.Admin, On user permission Ievel I have options like Supplier which is already selected, I assume this is because role(i.e. Anchor) have this option selected. Now I select one more policy for this user like say Supplier.View Expectation : Anchor.Admin should see supplier tab/menu and once the user click on view button user should be able to see the data on the popup screen because this user have Supplier.View policy selected in User permission level screen.

Case 2 : On my Role permission level i.e. Anchor(same role as case 1) I have only check box selected for Supplier Now I have one User i.e. AnchorForCheck.Admin, On user permission Ievel I have options like Supplier which is already selected, I assume this is because role(i.e. Anchor) have this option selected. Expectation : Anchor.Admin should see supplier tab/menu but once the user click on view button user should not be able to see the data on the popup screen because this user have only Supplier policy selected and no other is selected in User permission level screen.

AppService Level : I have this annotation in place above my method [Authorize(ProfileManagementPermissions.Supplier.View)]

My Issue : In both case 1 and case 2 because of the authorize annotation placed on my method I am getting this error on UI :

An error has occurred!
Authorization failed! Given policy has not granted

But on my browsers if I check in network I am getting proper data for grantedPolicies :

Case 1:

  1. ProfileManagement.Supplier: true
  2. ProfileManagement.Supplier.View: true

Case 2:

  1. ProfileManagement.Supplier: true

One more thing I need to highlight here is on my ApplicationService level I dont get info like CurrentUser.Id and CurrentTenant.Id Is this something to do with my architecture or am I missing any refrences or something. I need to make it work for my Role + User level combination of permissions, as case 1 and 2 discussed above. In case you need more details for understanding, Please do ask.

Thanks


17 Answer(s)
  • 0
    liangshiwei created
    Support Team

    Hi,

    It looks like your project has some problems,but it's complated, can you provide simple project to reproduce? thanks.

  • 0
    lalitChougule created

    HI @liangshiwei,

    Sorry but replicating the architecture will be time taking and we need to resolve it in a give timeline, Can we just connect and may be you can have a look of the project structure and code ? It will be really helpfull

    Thanks

  • 0
    liangshiwei created
    Support Team

    Hi,

    Ok, I can connect and look your code, but I also need some time to understand your project :). or can you provide steps to reproduce?

  • 0
    lalitChougule created

    @liangshiwei,

    We can connect, so I can give your brief understanding on my project and If needed I will provide you the steps how we build our project. Please let me know how can we connect.

    Thanks

  • 0
    liangshiwei created
    Support Team

    Please email me [email protected]

  • 0
    liangshiwei created
    Support Team

    Hi,

    You need to use redis server.

  • 0
    lalitChougule created

    @liangshiwei

    Can you provide the links which you shared during the session here ?

    Thanks

  • 0
    liangshiwei created
    Support Team

    https://github.com/abpframework/abp/blob/dev/modules/permission-management/src/Volo.Abp.PermissionManagement.Domain/Volo/Abp/PermissionManagement/PermissionStore.cs

  • 0
    lalitChougule created

    Hi @liangshiwei,

    Redis is endabled now and I am able to see the data in Redis Studio as well. But still in log.txt I am getting below mentioned logs : [DBG] Not found in the cache: pn:C,pk:Litmus_App,n:ProfileManagement.Supplier

    Still getting same error's on UI : An error has occurred! Authorization failed! Given policy has not granted.

  • 0
    liangshiwei created
    Support Team

    Hi,

    I remember you don't want to user redis, however, we can make a meeting tomorrow

  • 0
    lalitChougule created

    Hi,

    I remember you don't want to user redis, however, we can make a meeting tomorrow

    As I said before, We want to close this issue in the given timeline so we have to implement whatever solution available. Thanks for the meeting though. I will drop you a mail tomorrow.

    Thanks again.

  • 0
    liangshiwei created
    Support Team

    Solved, you need use same db for all HttpApi.Host

  • 0
    jward01 created

    I am having this same issue, what was the solution?

    I have a module which I refrence in my Host Monolith.

    If i navigate or use an endpoint from the module I get this same error:

    An error has occurred! Authorization failed! Given policy has not granted.

  • 0
    liangshiwei created
    Support Team

    @jward01

    Open a new question, thanks.

  • 0
    lalitChougule created

    @liangshiwei

    Sorry to reopen this issue, In my InvoiceManagement module, I am getting all the permission true in my PermissionGrantRepository output, But still I am getting Authorization error.

    I have already done all the check's which I could possibly do.

    1. My all db's are connected to same env i.e. dev
    2. MultiTenancy is enabled
    3. Redis is working fine
  • 0
    lalitChougule created

    @liangshiwei

    Sorry to reopen this issue, In my InvoiceManagement module, I am getting all the permission true in my PermissionGrantRepository output, But still I am getting Authorization error.

    I have already done all the check's which I could possibly do.

    1. My all db's are connected to same env i.e. dev
    2. MultiTenancy is enabled
    3. Redis is working fine

    One thing I noticed though i.e.In InvoiceManagement module I have made a class MyPermissionStore : PermissionStore, Even if I have the breakpoint here my debugger never stop's here. And In log.txt I am not able to find any cache log where my pn:R,pk:Supplier,n:InvoiceManagement.xxx

    For Role supplier, I can find data in Redis.Studio but not able to find in log's

  • 0
    lalitChougule created

    Hi @liangshiwei

    AbpClaimTypes Config and Mapping was missing from InvoiceModule. After comparing it with ProfileModule I found this issue.

    Its working fine now. Finally closing this issue :)

    Thanks !!!