Hi liangshiwei,
Many thx for your help.
Final question, should I remove Tenant Management and Edition Management module so that my client not able to enable it without my permission
Hi,
You can add the
CompanyName
to the user's claims.https://docs.abp.io/en/abp/latest/Authorization#claims-principal-factory https://docs.abp.io/en/abp/latest/Modules/OpenIddict#updating-claims-in-access_token-and-id_token
protected override Expression> CreateFilterExpression() { var expression = base.CreateFilterExpression(); var companyName = currentUser.FindClaimValue("....") if (typeof(ICompany).IsAssignableFrom(typeof(TEntity))) { Expression> isCompanyFilter = e => !IsCompanyFilterEnabled || EF.Property(e, "ICompany").where(e.CompanyName == companyName); expression = expression == null ? isCompanyFilter : QueryFilterExpressionHelper.CombineExpressions(expression, isCompanyFilter); } return expression; }
Hi liangshiwei,
We follow ABP modular practice (Instead of Application Template, we develop Module Template), so what is the correct place to put the above Custom Filter, IN Module.EntityFrameworkCore or my Tiered Application.EntityFrameworkCore?
Also, how can I make sure that when I am creating a Module and Tiered Application via ABP SUITE, it is Host-only and does not have Tenant or Edition?
By default does the ABP suite include Tenant Management & Edition Management in the application?
Thanks, Navneet
Another idea is to remove multi-tenancy and create a "Company Id" and somehow I filter uses of one company who buy license and VPS servers, if I follow this path, any suggestion how can I filter it
You can check the document: https://docs.abp.io/en/abp/latest/Data-Filtering#defining-custom-filters
Many thanks liangshiwei,
We have decided to use your above suggestion, it is easy to set a global filter, however not sure how to convert bool to a company filter?
could you please suggest?
I created an interface as ICompany
public interface ICompany
{
string CompanyName { get; }
}
what am I missing below? how can I filter as e.CompanyName == _user.CompanyName
protected bool IsCompanyFilterEnabled => DataFilter?.IsEnabled<ICompany>() ?? false;
protected override bool ShouldFilterEntity<TEntity>(IMutableEntityType entityType)
{
if (typeof(ICompany).IsAssignableFrom(typeof(TEntity)))
{
return true;
}
return base.ShouldFilterEntity<TEntity>(entityType);
}
protected override Expression<Func<TEntity, string>> CreateFilterExpression<TEntity>()
{
var expression = base.CreateFilterExpression<TEntity>();
if (typeof(ICompany).IsAssignableFrom(typeof(TEntity)))
{
Expression<Func<TEntity, string>> isCompanyFilter = e => !IsCompanyFilterEnabled ||
EF.Property<string>(e, "ICompany").where(e.CompanyName == _user.CompanyName);
expression = expression == null
? isCompanyFilter
: QueryFilterExpressionHelper.CombineExpressions(expression, isCompanyFilter);
}
return expression;
}
Also, Is there anyway, I can manage Tenant roles where I as a host create delete and update, however Tenant only able to see pre seeded/created roles?
You can set role create, delete, and edit permissions to only apply to the host.
And create a new manage tenant roles page for the host:
public class CreateTenantRoleInput { public string TenantName {get; set;} .... } public class ManageTenantRolesAppService:... { public async Task CreateAsync(CreateTenantRoleInput input) { var tenant = await _tenantStore.FindAsync(input.Tenant); using(currentTenant.Change(tenant.Id)) { _roleRepositpry.InsertAsync(..); } } }
Hi liangshiwei,
I tried to investigate your solution, however, I believe I am may complicating it further while trying to adjust my project. I have below options and may be you can help me with another idea
Any other idea??
Hi,
ABP supports multi-tenancy as a first class citizen. You can define multi-tenancy side option while defining a new permission. It gets one of the three values defined below:
Host: The permission is available only for the host side. Tenant: The permission is available only for the tenant side. Both (default): The permission is available both for tenant and host sides.
https://docs.abp.io/en/abp/latest/Authorization#multi-tenancy
You can set the create, edit, and delete permission definitions to host, in this way, the tenant will not have permissions
Hi liangshiwei,
Thanks for your suggestion, that was easy to implement.
As I have complex query to run, how can i determine if current uses is from Host or Tenant? one idea is to inject ICurrentUser and query as ( _currentUser.TenantId == null ) to determine, Is this correct way or are there any other way?
Hi Maliming,
Many thx for your help. Enjoy rest of your day
hi
Please share the logs of this error.
Btw we have changed the
OnDelete(DeleteBehavior(DeleteBehavior.NoAction)
toOnDelete(DeleteBehavior.Cascade)
If you have similar code you can change it.
Hi maliming,
You are correct the default template had OnDelete(DeleteBehavior(DeleteBehavior.NoAction)
, once I change it to OnDelete(DeleteBehavior.Cascade)
, eveything is working perfectly.
When can we expect this to be fixed?
Also, can you please refund the ticket?
Thanks
Hi gterdem and Nico,
Thank you both for giving me extensive help; it took me a little while to digest.
@gtendem: I agree with you that Authorization in Web API is not straight and after discussing with the client, we have decided that the client with handle Authorization by themself, I will be helping them only with Authentication. So, your above steps work perfectly to Authenticate.
@Nico: your suggestion to create an entity to assign User/Role to ~~Application or~~ Scope is perfect, as it supports the below scenario.
Is Controller right place to check if user/role has assigned scope?
Regards,
Hi gterdem,
Thanks for your response, after reading and researching your "You can not pre-authenticate" I now completely agree with you and apologise for this confusion.
Let me give you a little more info about what I am trying to achieve, I am working on a project for a client that has two WebApi for Stock Management and Currency Management designed in asp.net core (I cannot change and it is out of ABP Solution), so I have:
Everything is working fine, but I don't know how can I assign permission to users or roles to above-created application or scope so that not all users can access.
Can you please suggest which AppService or Domain Manager I can investigate or customize so that my clients can assign users/roles to scope/applications?
Regards, Bunty
Hello team,
Any update on my request please
Thx Navneet