& Lt; ABP framework & gt; authorization, abp Framework Authorization

<ABP framework> authorization: authorization by the abp framework

Document directory

 

Content of this section:

• Introduction
  • About IPermissionChecker
• Define license
• Check license
• Use the AbpAuthorize feature
  • Considerations for AbpAuthorize features
  • Revoke authorization
• Use IPermissionChecker
• In the Razor View
• Client (Javascript)
• License Manager

 

Introduction

Almost all enterprise applications use authorization at a certain level. Authorization is used to verify whether a user allows certain specified operations in the application.

ABP defines a license-based infrastructure for authorization.

About IPermissionChecker
The authorization system uses IPermissionChecker to check the license. Although you implement it in your own way, it is fully implemented in the module-zero project. If this interface is not implemented, NullPermissionChecker is used to grant all permissions to everyone.

 

Define license

The unique license defined for each operation must be authorized. One license must be defined for the use of the service. The ABP is designed in a modular manner, so different modules can have different licenses, A module should create a class that inherits AuthorizationProvider to define its permissions. The following is an example of how to authorize an instance:

public class MyAuthorizationProvider : AuthorizationProvider{    public override void SetPermissions(IPermissionDefinitionContext context)    {        var administration = context.CreatePermission("Administration");        var userManagement = administration.CreateChildPermission("Administration.UserManagement");        userManagement.CreateChildPermission("Administration.UserManagement.CreateUser");        var roleManagement = administration.CreateChildPermission("Administration.RoleManagement");    }}

IPermissionDefinitionContext can be used to obtain and create licenses.

A license contains some attributes:

• Name: a unique Name in a system domain. It is a good practice to use a String constant without variable strings. In classification, we prefer to use a. (DOT) number for naming, but it is not necessary. You must set it as your favorite name. The unique rule must be unique.
• DisplayName: a localized text used to display the license on the UI.
• Description: a localized text used to display the license Description on the UI.
• MultiTenancySides: In a multi-tenant application, a license can be used by a tenant or a host. This is a symbolic enumeration, so a license can be used by both the tenant and the host.
• DependedFeature: used to indicate a dependency on Feature (Feature). Therefore, this license is allowed only when the Feature (Feature) dependency is satisfied.

A license can have one parent license and multiple sub-licenses. Although this does not have any effect on license checks, it may help to organize licenses on the UI.

After creating an authorization provider, we should register it in the pre-initialization method of our module:

Configuration.Authorization.Providers.Add<MyAuthorizationProvider>();

The authorization provider is automatically registered to the dependency injection. Therefore, an authorization provider can inject any dependencies (such as a warehouse) and use other sources to define the license.

 

Check license

Use the AbpAuthorize feature

AbpAuthorize (AbpMvcAuthorize is used for Mvc controller, AbpApiAuthorize is used for Web Api Controller) features, is the simplest and most commonly used way to use license. Assume there is an application service method as follows:

[AbpAuthorize("Administration.UserManagement.CreateUser")]public void CreateUser(CreateUserInput input){    //A user can not execute this method if he is not granted for "Administration.UserManagement.CreateUser" permission.}

The CreateUser method cannot be called by users without the "Administration. UserManagement. CreateUser" permission.

The AbpAuthorize feature also checks whether the current user is logged on (using IAbp. Session. UsrId). Therefore, if we declare an AbpAuthorize for a method, it is only used to check whether the user has logged on:

[AbpAuthorize]Public void SomeMethod (SomeMethodInput input ){
// If the user is not logged on, this method cannot be executed}

 

Considerations for AbpAuthorize features

For authorized users, the following restrictions apply to the methods that use the AbpAuthorize feature:

• Private methods cannot be used.
• Cannot be used for static methods.
• It cannot be used for methods in a class without injection (we must use dependency injection ).

At the same time, it can be used:

• Any public method called through an interface (for example, using an application service through an interface ).
• A virtual method called directly by class reference (such as Asp. Net Mvc or Web Api Controller.
• A protected virtual method.

Note: There are four types of authorization features:

• In an Application Service (Application Layer), we use the ABC. Authorization. AbpAuthorize feature.
• In an Mvc controller (web layer), we use the features of the Abp. Web. Mvc. Authorization. AbpMvcAuthorize.
• In an Asp.net Web Api, we use the ABC. WebApi. Authorization. AbpApiAuthorization feature.
• In an Asp.net Core, we use the features of the ABC. AspNetCore. Mvc. Authorization. AbpMvcAuthorize.

These differences come from inheritance. In the application layer, the whole implementation of the ABC does not extend any classes, but in Mvc and Web APIs, It inherits from the Authorize feature of its own framework.

 

Revoke authorization

We can add the AbpAllowAnonymous feature to the Application Service to disable the authorization of a method/class, and use the AllowAnonymous feature of the framework to disable the authorization of the Mvc, Web Api, and Asp.net Core controller.

 

Use IPermissionChecker

Although the AbpAuthorize feature can perfectly deal with most situations, in some cases we have to check a license in the method, then we can inject and use IPermissionChecker, as shown below:

Public void CreateUser (CreateOrUpdateUserInput input) {if (!PermissionChecker. IsGranted ("Administration. UserManagement. CreateUser")) {Throw new AbpAuthorizationException ("You are not authorized to create user! ");}
// If a user does not pass the permission granted by "Administration. usermanagerment. CreateUser", it cannot be reached here .}

Although IsGranted simply returns true or false, you can write any logic (IsGranted also has an asynchronous version ). If you simply check a license and throw an exception like above, you can use the Authorize method:

public void CreateUser(CreateOrUpdateUserInput input){    PermissionChecker.Authorize("Administration.UserManagement.CreateUser");

// If a user is not permitted by "Administration. usermanagerment. CreateUser", the user cannot be here.

 }

Due to the widespread use of authorization, ApplicationService and some common base classes inject and define the PermissionChecker attribute. Therefore, in the Application Service class, you can use the license checker without injection.

 

In the Razor View

The base View class has defined the IsGranted method to check whether the current user has a license. Therefore, we can have a conditional rendering view, for example:

@if (IsGranted("Administration.UserManagement.CreateUser")){    <button id="CreateNewUserButton" class="btn btn-primary"><i class="fa fa-plus"></i> @L("CreateNewUser")</button>}

 

Client (Javascript)

In the client, we can use. in most cases, we need to check whether the current user has a specified license (license name) for the API in the auth namespace. For example:

abp.auth.isGranted('Administration.UserManagement.CreateUser');

You can also get all the granted permissions or the names of all the available licenses by using abp. auth. grantedPermissions. You can view other APIs of the abp. auth namespace at runtime.

 

License Manager

We may use the license definition. Here we can inject and use IPermissionManager.