【问题标题】:ABP Web Api : [Authorize] attribute not working correctly with three permissions on Controller actionABP Web Api:[Authorize] 属性在控制器操作的三个权限下无法正常工作
【发布时间】:2022-09-13 17:28:35
【问题描述】:

ABP Web Api:[Authorize] 属性在三个操作权限下无法正常工作, 仅在一项操作权限下才能正常工作,如下所示:

用户必须拥有这三个权限才能访问 Controller Action , 但是如果用户只有一个权限,他就不能访问控制器动作

我需要一种方法来允许任何只有一种权限的用户访问控制器操作

[Authorize]
public class RequestDeleteBuildingController : AqaratController, IRequestDeleteBuildingAppService
{

    // 1'st method - not working
    //[Authorize(Roles = AqaratPermissions.RequestAddBuilding.Create + "," + AqaratPermissions.RequestEditBuilding.Create + "," + AqaratPermissions.RequestDeleteBuilding.Create)]

    // 2'nd method - not working
    //[Authorize(Roles = $"{AqaratPermissions.RequestAddBuilding.Create},{AqaratPermissions.RequestEditBuilding.Create},{AqaratPermissions.RequestDeleteBuilding.Create}")]

    // 3'rd method - not working
    //[Authorize(AqaratPermissions.RequestAddBuilding.Create)]
    //[Authorize(AqaratPermissions.RequestEditBuilding.Create)]
    //[Authorize(AqaratPermissions.RequestDeleteBuilding.Create)]

    // 4'th method - working only with one permission 
    [Authorize(AqaratPermissions.RequestAddBuilding.Create)]
    public async Task<RequestBuildingCoordinateDto> CreateAsync(Guid requestId, CreateUpdateRequestBuildingCoordinateDto input)
    {
        return await requestBuildingCoordinateAppService.CreateAsync(requestId, input);
    }

}

【问题讨论】:

    标签: api abp


    【解决方案1】:

    经过搜索,我们发现了两种经过测试和确认的解决方案:

    第一个解决方案:为所需权限配置新的自定义策略并使用控制器操作上方 [Authorize] 中的策略,如 GitHub 主题:https://github.com/abpframework/abp/pull/10152#issue-1007619207

    // Configure custom policy for required permissions
            context.Services.AddAuthorization(options =>
            {
                options.AddPolicy("RequestAddBuilding.Edit_OR_RequestEditBuilding.Edit", policy =>
                {
                    policy.Requirements.Add(new PermissionsRequirement(
                            new[] { AqaratPermissions.RequestAddBuilding.Edit, AqaratPermissions.RequestEditBuilding.Edit },
                            requiresAll: false));
                });
            });
    
    // Use custom policy    
    [Authorize("RequestAddBuilding.Edit_OR_RequestEditBuilding.Edit")]
    
     
    

    第二种解决方案:使用 ABP IPermissionChecker permissionChecker.IsGrantedAsync() 检查所需的权限,如下所示:

    // Inject IPermissionChecker in controller 
    private readonly IPermissionChecker permissionChecker;
    
    //Check for Required Permissions
    [HttpPut("{id}")]
    public async Task<RequestBuildingMainDataDto> UpdateAsync(Guid id, CreateUpdateRequestBuildingMainDataDto input)
            {
                if (!(await permissionChecker.IsGrantedAsync(AqaratPermissions.RequestAddBuilding.Edit)) &&
                    !(await permissionChecker.IsGrantedAsync(AqaratPermissions.RequestEditBuilding.Edit)))
                        throw new AbpAuthorizationException();
    
                return await requestBuildingMainDataAppService.UpdateAsync(id, input);
            }
    
    

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2022-01-06
      • 2018-04-12
      • 2019-05-13
      • 1970-01-01
      • 2013-07-26
      • 2020-06-24
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多