search

abpframework / abp

Open-source web application framework for ASP.NET Core! Offers an opinionated architecture to build enterprise software solutions with best practices on top of the .NET. Provides the fundamental infrastructure, cross-cutting-concern implementations, startup templates, application modules, UI themes, tooling and documentation.
https://abp.io
GNU Lesser General Public License v3.0
12.73k stars 3.41k forks source link

Prevent user from getting access to permission which is accessible in the user's assigned role. #20250

Closed ali-mustafa-98 closed 1 month ago

ali-mustafa-98 commented 1 month ago

Is there an existing issue for this?

Description

If I have a role "Customer" assigned to the user "user1" and it has many permissions assigned to it, how can I prevent "user1" from getting access to permission "p1," which is accessible from the "Customer" role, while keeping all other permissions assigned to the "Customer" role still accessible by "user1"? I have tried doing this by using IPermissionManager like this: await permissionManager.SetForUserAsync(userId, p1, false). However, this approach did not work, and "user1" still has access to permission "p1." Then I tried defining a new custom permission management provider as stated in the "Abp framework tutorial => Permission Management Module,", image But this also did not work. I was not able to prohibit the user from getting access to any permission that is accessible by the user's role.

Reproduction Steps

No response

Expected behavior

No response

Actual behavior

No response

Regression?

No response

Known Workarounds

No response

Version

8.2

User Interface

Common (Default)

Database Provider

EF Core (Default)

Tiered or separate authentication server

Tiered

Operation System

Windows (Default)

Other information

No response

realLiangshiwei commented 1 month ago

This is not a bug. Users should be able to access all permissions of the role.

If you need you can override the PermissionChecker to deny certain permissions https://github.com/abpframework/abp/blob/c9f59bc75d41d4b9f7865bf491eb470d4d496d80/framework/src/Volo.Abp.Authorization/Volo/Abp/Authorization/Permissions/PermissionChecker.cs#L44

ali-mustafa-98 commented 1 month ago

This is not a bug. Users should be able to access all permissions of the role.

If you need you can override the PermissionChecker to deny certain permissions

https://github.com/abpframework/abp/blob/c9f59bc75d41d4b9f7865bf491eb470d4d496d80/framework/src/Volo.Abp.Authorization/Volo/Abp/Authorization/Permissions/PermissionChecker.cs#L44

The documentation states that the Identity Module defines two types of permission management providers:

UserPermissionManagementProvider: Manages user-based permissions. RolePermissionManagementProvider: Manages role-based permissions. The order of the providers is important. Providers are executed in the reverse order. If RolePermissionManagementProvider gets executed first, how can I change the order of execution? More importantly, if I had the UserPermissionManagementProvider as the first provider to be executed, will this allow me to make some permissions prohibited from being accessed by the user while being accessible by the user's role?

realLiangshiwei commented 1 month ago

Arrange in order of adding to options

https://github.com/abpframework/abp/blob/8e72c106e662a503e359319aae32fd23ab45a713/framework/src/Volo.Abp.Authorization/Volo/Abp/Authorization/AbpAuthorizationModule.cs#L40-L44

You can add your PermissionValueProvider to the top

Configure<AbpPermissionOptions>(options =>
{
  options.ValueProviders.Insert(0, new YourPermissionValueProvider());
});

There is the document:

https://docs.abp.io/en/abp/latest/Authorization#advanced-topics