0

Please or Register to create posts and topics.

Adding roles, protect api and frontend components

Hi,

First of all great starting project, thank you.

What I want to achieve is adding an approval system. Let's say a user with and approval role can only approve/reject added content, cannot create content nor delete content.

I've added roles under ApplicationPermissions, and they can be seen in the admin page under roles and can be assigned to users. Now I would like to grant access to some APIs and components depending on the approval role.

I can see that in the frontend you grant access to the admin component depending on the CanViewUsers/Roles. So I would need to create roles and permissions in the account service and permission model, then protect the component access (as I want a separate component for this) depending on the required role. Anything I forgot here for the frontend?

For the backend I don't know what else to change or where to start? Let's say I would have an update method that only the approver can call. Do I create a policy ApprovalPolicy an extra ApprovalOperations class with only read/update authorization, add it in the startup class as authorization. What else?

 

Hi,

The files you'll need to modify to get going are listed below:

CLIENT

  • permission.model.ts - Add your new permission to this file. Follow what is already there as an example

Note: Extending the account.service.ts file is not required here. But of course feel free to put custom logic here when necessary

 

SERVER

  • ApplicationPermissions.cs - This is the source of all the permissions in the application. Following what is already there, you'll add your new permissions here. Don't forget to to include your created permissions in the static constructor also ApplicationPermissions()

The next thing to do is to protect your API or whatever resources you want protected using any of the approaches stated in the links below:
- https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims
https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles
https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies
https://docs.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?tabs=aspnetcore2x

keith and Al Ve have reacted to this post.
keithAl Ve

@alve  I would like to either help test or build this code with you as I need this functionality as well.   @adentum  is there a repo that we can do this from or do we have to do it separate from the current repo?

@keith I assume you're refering to QuickApp Standard. Please get in touch via mail. There's a dev branch I can get you access to.

@keith

I'm unable to share my code now as there are sensitive data. I would need to refactor it first.

I don't know which version you are using but above in this post you have the guidelines where to change things. I was able to protect the frontend as described and am now trying to protect my API. I could protect it but am now figuring out how to add the new policies and permission as I got a 401 on some APIs, which means the protection is working.

PS the pro version has a lot of things already implemented.