Open Closed

Permission checker #627


0
alexander.nikonov created

3.3.1 / Angular

Hi ABP team.

I created solution as an ABP module. At this moment i would like to check for permissions which were granted for a user's roles. I'm using IsGrantedAsync method of IPermissionStore interface. But this method returns negative result every time. I'm using "* .HttpApi.Host" project to run and test my solution.

Also I've found out that information about user isn't complete: the user's roles are absent in CurrentUser member of ApplicationService object, but access token contains this data.

Could you please suggest what I did wrong and how it can be fixed? I would like to add a custom provider name like "Q", what am I supposed to do in this case and how to make IPermissionStore interface methods work with a new provider name?


14 Answer(s)
  • 0
    alper created
    Support Team

    do you have typeof(AbpPermissionManagementEntityFrameworkCoreModule), in your DependsOn attribute in Host project

  • 0
    alexander.nikonov created

    Yes, it's there:

  • 0
    alper created
    Support Team

    hi, I guess you are using the seperated identity server architecture. it seems like the, there's an issue about retreiving the role claims. when there's no role claims, permissions are not working properly.

    this is most probably an Identity Server configuration issue. I'll try to reproduce it in my local.

  • 0
    alexander.nikonov created

    You are right. I'm using separate Identity Server. All Identity Server configuring has been done. I'm using simple Authorize attribute without any permission as extra parameters and I didn't find any mistakes in my log related to Identity Server. Looking forward for your findings.

  • 0
    alper created
    Support Team

    I tried with a new 3.3.2 project and it works if you are starting the request from swagger, you need to authorize it via swagger

  • 0
    alexander.nikonov created

    Hi,

    I'm not using swagger in this case. I built Angular application based on ABP template. This application can authorize user and send request to several services. As you can see below in the picture, access token has been parsed and information about user and their roles is present. What is the reason IPermissionStore may return incorrect result?

  • 0
    alper created
    Support Team

    do you see granted policies for this user

    https://localhost:44328/api/abp/application-configuration

  • 0
    alexander.nikonov created

    I couldn't check permissions in my business logic in "Service 2" (see our current workflow picture attached below). Both services have connection to the same DB. I've attached pictures in my first post, where you can notice that property CurrentUser of AppService object doesn't contains any roles for this user. But If I open AuthorizeService in my controller, access token is parsed and claims with roles are present (see picture in prev post).

  • 0
    maliming created
    Support Team

    hi @alexander.nikonov

    Can you use the template project to reproduce the problem and share it with me? [email protected]

  • 0
    alexander.nikonov created

    Hi @maliming.

    We found out that our project contains mix of commercial and free libraries. It has been fixed, but issues of using IPermissionStore remained. I've generated ABP module project to reproduce the issue as you had asked me. Don't forget: that project is run separately and connected to IdentityServer which is run separately too and it is not a part of this project. So Abp.PermissionStoreTest.IdentityServer project was unloaded and didn't take part in the testing. I didn't manage to find source code of Volo.ABP.Authorization NuGet package (version 3.3.2). Could you please tell me where it is located or share one with me via attachment?

    Please check your e-mail for the project's source code + screenshots.

    Looking forward for your reply.

  • 0
    maliming created
    Support Team

    hi

    Could you please tell me where it is located or share one with me via attachment?

    https://github.com/abpframework/abp/tree/dev/framework/src/Volo.Abp.Authorization

    I will check your email asap. : )

  • 0
    maliming created
    Support Team

    hi

    Can you share some steps? and your project is using Oracle. I only have sql server.

    Thanks. Regards

  • 0
    alexander.nikonov created

    Hi.

    We found out that the class which implements IPermissionStore interface has different behavior than we expected. This class has limitation on checking granted permission. It can check any permission which was declared in current ABP module for some roles, but due to the limitation, it doesn't allow to check granted permission which was declared in other module for the same roles.

    Also please pay attention to property CurrentUser. As you can see, this property returns object with information about the user who sent request. And the field UserName is null. Could you please explain how it can be fixed or what we did wrong? This field is required for us.

  • 0
    maliming created
    Support Team

    hi @alexander.nikonov

    Your situation is complicated, I cannot confirm the problem,

    Can you use the template project to reproduce the problem and share it with me? [email protected]