IMPORTANT!
This forum is now archived. Click here for the New Support Forum
Adding roles, protect api and frontend components
Quote from Al Ve on March 1, 2018, 2:20 pmHi,
First of all great starting project, thank you.
What I want to achieve is adding an approval system. Let's say a user with and approval role can only approve/reject added content, cannot create content nor delete content.
I've added roles under ApplicationPermissions, and they can be seen in the admin page under roles and can be assigned to users. Now I would like to grant access to some APIs and components depending on the approval role.
I can see that in the frontend you grant access to the admin component depending on the CanViewUsers/Roles. So I would need to create roles and permissions in the account service and permission model, then protect the component access (as I want a separate component for this) depending on the required role. Anything I forgot here for the frontend?
For the backend I don't know what else to change or where to start? Let's say I would have an update method that only the approver can call. Do I create a policy ApprovalPolicy an extra ApprovalOperations class with only read/update authorization, add it in the startup class as authorization. What else?
Hi,
First of all great starting project, thank you.
What I want to achieve is adding an approval system. Let's say a user with and approval role can only approve/reject added content, cannot create content nor delete content.
I've added roles under ApplicationPermissions, and they can be seen in the admin page under roles and can be assigned to users. Now I would like to grant access to some APIs and components depending on the approval role.
I can see that in the frontend you grant access to the admin component depending on the CanViewUsers/Roles. So I would need to create roles and permissions in the account service and permission model, then protect the component access (as I want a separate component for this) depending on the required role. Anything I forgot here for the frontend?
For the backend I don't know what else to change or where to start? Let's say I would have an update method that only the approver can call. Do I create a policy ApprovalPolicy an extra ApprovalOperations class with only read/update authorization, add it in the startup class as authorization. What else?
Quote from Eben Monney on March 1, 2018, 3:23 pmHi,
The files you'll need to modify to get going are listed below:
CLIENT
- permission.model.ts - Add your new permission to this file. Follow what is already there as an example
Note: Extending the account.service.ts file is not required here. But of course feel free to put custom logic here when necessary
SERVER
- ApplicationPermissions.cs - This is the source of all the permissions in the application. Following what is already there, you'll add your new permissions here. Don't forget to to include your created permissions in the static constructor also
ApplicationPermissions()
The next thing to do is to protect your API or whatever resources you want protected using any of the approaches stated in the links below:
- https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims
- https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles
- https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies
- https://docs.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?tabs=aspnetcore2x
Hi,
The files you'll need to modify to get going are listed below:
CLIENT
- permission.model.ts - Add your new permission to this file. Follow what is already there as an example
Note: Extending the account.service.ts file is not required here. But of course feel free to put custom logic here when necessary
SERVER
- ApplicationPermissions.cs - This is the source of all the permissions in the application. Following what is already there, you'll add your new permissions here. Don't forget to to include your created permissions in the static constructor also
ApplicationPermissions()
The next thing to do is to protect your API or whatever resources you want protected using any of the approaches stated in the links below:
- https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims
- https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles
- https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies
- https://docs.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?tabs=aspnetcore2x
Quote from keith on March 2, 2018, 5:11 pm@alve I would like to either help test or build this code with you as I need this functionality as well. @adentum is there a repo that we can do this from or do we have to do it separate from the current repo?
@alve I would like to either help test or build this code with you as I need this functionality as well. @adentum is there a repo that we can do this from or do we have to do it separate from the current repo?
Quote from Eben Monney on March 6, 2018, 6:56 pm@keith I assume you're refering to QuickApp Standard. Please get in touch via mail. There's a dev branch I can get you access to.
@keith I assume you're refering to QuickApp Standard. Please get in touch via mail. There's a dev branch I can get you access to.
Quote from Al Ve on March 8, 2018, 12:33 pm@keith
I'm unable to share my code now as there are sensitive data. I would need to refactor it first.
I don't know which version you are using but above in this post you have the guidelines where to change things. I was able to protect the frontend as described and am now trying to protect my API. I could protect it but am now figuring out how to add the new policies and permission as I got a 401 on some APIs, which means the protection is working.
PS the pro version has a lot of things already implemented.
I'm unable to share my code now as there are sensitive data. I would need to refactor it first.
I don't know which version you are using but above in this post you have the guidelines where to change things. I was able to protect the frontend as described and am now trying to protect my API. I could protect it but am now figuring out how to add the new policies and permission as I got a 401 on some APIs, which means the protection is working.
PS the pro version has a lot of things already implemented.
IMPORTANT!
This forum is now archived. Click here for the New Support Forum