<<ABP Framework >> Licensing

Document Directory

The content of this section:

• Brief introduction
  • About Ipermissionchecker
• Defining licenses
• Check License
• Using the Abpauthorize feature
  • Abpauthorize Characteristics Considerations
  • Revocation of authorization
• Using Ipermissionchecker
• In the razor view.
• Client (Javascript)
• License Manager

Brief introduction

Almost all enterprise applications use authorization at some level of the trigger. Authorization is used to verify that a user is allowed to specify certain actions in the app.

The ABP defines a licensing-based infrastructure to implement authorization.

About Ipermissionchecker

The authorization system uses Ipermissionchecker to check the license, although you implement it in your own way, but it is fully implemented in the Module-zero project. If the interface is not implemented, Nullpermissionchecker is used, which grants everyone permission.

Defining licenses

The only license defined for each operation must be authorized, first defined for the use of the license, the ABP is modular, so different modules can have different licenses, and a module should create a class that inherits Authorizationprovider in order to define its license. An example of the authorization provider is as follows:

 Public classmyauthorizationprovider: authorizationprovider{ Public Override voidSetPermissions (Ipermissiondefinitioncontext context) {varAdministration = context.createpermission("Administration"); varUsermanagement = administration.createchildpermission("administration.usermanagement"); Usermanagement. createchildpermission ("Administration.UserManagement.CreateUser"); varRolemanagement = administration.createchildpermission("administration.rolemanagement"); }}

Ipermissiondefinitioncontext has the method of acquiring and creating a license.

A license contains some attributes:

• Name: A unique name within a system domain, with a string constant, without a mutable string, is a good practice. In the grading we prefer to use the. (dot) number to name, but it is not required, you set the name you like, the only rule is to be unique.
• DisplayName: A localized text that is used to display the permission on the UI later.
• Description: A localized text that is used to display the license description later on the UI.
• Multitenancysides: In a multitenant application, a license can be used by a tenant or host, which is a marked enumeration, so a license can be used by both the tenant and the host.
• Dependedfeature: Used to indicate a dependency on a feature (feature), so this license will only be allowed if it satisfies the feature (characteristic) dependency.

A license can have a parent license and multiple sub-licenses, although this has no effect on the license check, but may help organize the license on the UI.

After creating an authorization provider, we should register it in the pre-initialization method of our module:

Configuration.Authorization.Providers.Add<MyAuthorizationProvider> ();

An authorization provider is automatically registered in a dependency injection, so an authorization provider can inject any dependency (such as a warehousing) so that it can use other sources to define the license.

Check License

Using the Abpauthorize feature

Abpauthorize (abpmvcauthorize for MVC controllers, abpapiauthorize for Web API controllers) is the simplest and most common way to use licensing. Suppose you have an application service method that looks like this:

[Abpauthorize ("Administration.UserManagement.CreateUser")]    Public void  CreateUser (Createuserinput input) {    //A user can not execute the This method if he was not granted For "Administration.UserManagement.CreateUser" permission.}

The CreateUser method cannot be called by a user without a "Administration.UserManagement.CreateUser" permission.

The Abpauthorize feature also checks whether the current user is logged in (using IAbp.Session.UsrId), so if we declare a abpauthorize for a method, it is used only to check if the user is logged in:

[Abpauthorize]  Public void somemethod (Somemethodinput input) {
If the user is not logged in, this method cannot be executed }

Abpauthorize Characteristics Considerations

The ABP uses powerful dynamic method interception for authorization, so there are some limitations on how to use the Abpauthorize feature:

• cannot be used with private methods.
• cannot be used with static methods.
• cannot be used for methods in non-injected classes (we must use dependency injection).

At the same time, it can be used:

• Any public method called through an interface, such as using an app service through an interface.
• A virtual method that is called directly from a class reference, such as an ASP. NET MVC or Web API controller.
• A protected virtual method.

Note: There are 4 types of authorization features:

• In an Application service (application layer), we use the Abp.Authorization.AbpAuthorize feature.
• In an MVC controller (WEB layer), we use the Abp.Web.Mvc.Authorization.AbpMvcAuthorize feature.
• In an ASP. NET Web API, we use the Abp.WebApi.Authorization.AbpApiAuthorization feature.
• In an ASP. NET core, we use the Abp.AspNetCore.Mvc.Authorization.AbpMvcAuthorize feature.

These differences come from inheritance, and in the application layer, the ABP is fully implemented and does not extend any classes, but in the MVC and Web APIs, it inherits from the authorize characteristics of its own framework.

Revocation of authorization

We can add the Abpallowanonymous attribute to the app service to disable authorization for a method/class, using the framework's own allowanonymous feature to disable authorization for MVC, Web Api, and ASP.

Using Ipermissionchecker

While the Abpauthorize feature is perfect for most situations, there are situations where we have to check a license within a method, and we can inject and use Ipermissionchecker as follows:

 public  void   CreateUser (Createorupdateuserinput input) { if  (!  permissionchecker.isgranted (  Administration.UserManagement.CreateUser      )  ) { thro W  new  abpauthorizationexception ( "  you is not authorized to create user!   "    ); 
//A user may not be able to get here without the permission of "Administration.usermanagerment.CreateUser". }

Although isgranted simply returns TRUE or FALSE, you can also write any logic (Isgranted also has an asynchronous version). If you are simply checking a license and throwing an exception as above, you can use the authorize method:

 Public void CreateUser (Createorupdateuserinput input) {    permissionchecker.authorize ("  Administration.UserManagement.CreateUser");

A user may not be able to get here without the permission of "Administration.usermanagerment.CreateUser".

}

Because of the widespread use of authorization, applicationservice and some common base classes inject and define the PermissionChecker attribute, so in the application service class, the License checker can be used without injection.

In the razor view.

The base view class has defined the Isgranted method to check whether the current user has a license, so we can conditionally render the view, for example:

@if (isgranted ("Administration.UserManagement.CreateUser" )){    <button id="Createnewuserbutton" class="btn Btn-primary"><iclass="FA Fa-plus"></i> @l ("CreateNewUser") </button>}

Client (Javascript)

In the client, we can use the API defined in the Abp.auth namespace, and in most cases we need to check whether the current user has a specified license (using the license name), for example:

abp.auth.isGranted ('Administration.UserManagement.CreateUser');

You can also use Abp.auth.grantedPermissions to get all grant permissions or abp.auth.allPerssions to get all the available license names. Look at the other APIs in the Abp.auth namespace at run time.

License Manager

We may use the definition of a license, where ipermissionmanager can be injected and used.

<<ABP Framework >> Licensing