Query On Role Assignment - Identity Module #2500 | Support Center | ABP Commercial

arbasu@microsoft.com created 2 years ago

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

If you're creating a bug/problem report, please include followings:

ABP Framework version: v4.4
UI type: Angular
DB provider: EF Core
Tiered (MVC) or Identity Server Separated (Angular): yes (identity server separated) Angular
Exception message and stack trace:
Steps to reproduce the issue:"

Create a Role : Owner Assign Permissions: For User Management

Assign a User (U1) to the role Owner.

Now when this user U1, adds/edits any other user U2, he/she is able to assign other roles like Admin to U2.

We dont want this behavior. An owner can assign any other non-admin roles but not admin role. How can we achieve this out of the box? Also we have made the roles non-default and non-public, still those are visible to users.

<br>

3 Answer(s)

enisn created 2 years ago

Support Team .NET Developer

As a logic you're right. It can be a business logic such as you mentioned. But currently, ABP doesn't implement that kind of logic.

The shortest way to perform that operation is overriding IdentityUserAppService

[Dependency(ReplaceServices = true)]
public class MyCustomIdentityUserAppService : IdentityUserAppService
{
    public MyCustomIdentityUserAppService(
        IdentityUserManager userManager, 
        IIdentityUserRepository userRepository, 
        IIdentityRoleRepository roleRepository, 
        IOptions<IdentityOptions> identityOptions) : base(userManager, userRepository, roleRepository, identityOptions)
    {
    }

    public override async Task<ListResultDto<IdentityRoleDto>> GetAssignableRolesAsync()
    {
        var roles = await base.GetAssignableRolesAsync();
        
        if (/* Your condition.*/) // CurrentUser.UserName == "admin"
        {
            var customRoleList = roles.Items.ToList();
            customRoleList.Remove(roles.Items.FirstOrDefault(x => x.Name == "admin"));

            return new ListResultDto<IdentityRoleDto>(customRoleList);
        }

        return roles;
    }
}```

0

arbasu@microsoft.com created 2 years ago

So just to summarize, does this mean, we need to define a custom ui and integrate the same with a custom service. This custom service will override the logic by inheriting IdentityUserAppService (as you mentioned above).

is that the case?
0

enisn created 2 years ago
Support Team .NET Developer

No, you don't need to define a custom UI. Just override only IdentityUserAppService, and the existing UI will use the same endpoint. You'll just add some custom logic for existing AppService logic.

Have an answer to this question? Log in and write your answer.