ABP Permissions


ABP's permission management is very comprehensive, including interface access, page access, menus, partial rendering, JavaScript, etc. Below are all the usage scenarios for ABP permissions.

Permission Definition Changes#

  1. Modify the content of *.Application.Contracts\\Permissions\\*PermissionDefinitionProvider to change the permission definition.
  2. Running the *.DbMigrator project will automatically grant the new permission to the "admin" role.

Interface Authorization#

If only logged-in users are allowed to access, simply add the [Authorize] attribute to the service.

If it is for authorization of Abp's CRUD functions, directly add the following content to the constructor of the service implementation class:

// Note: Modify the Permission Policy according to the actual situation after the assignment statement
GetPolicyName = *Permissions.RemoteServersConfiguration.Default;
GetListPolicyName = *Permissions.RemoteServersConfiguration.Default;
CreatePolicyName = *Permissions.RemoteServersConfiguration.Create;
UpdatePolicyName = *Permissions.RemoteServersConfiguration.Edit;
DeletePolicyName = *Permissions.RemoteServersConfiguration.Delete;

If it is for authorization of custom functions, there are two ways to authorize, and the Permission Policy should be modified according to the actual situation:

  • Call await CheckPolicyAsync(GetListPolicyName); inside the function.
  • Add the [Authorize(GetListPolicyName)] attribute to the method signature.

Website Sidebar Authorization#

To show or hide menus in the website sidebar, i.e., menu authorization:

  1. Find *.Web\Menus\*MenuContributor.ConfigureMainMenuAsync().
  2. Define the menu metadata.
  3. Call .RequirePermissions(*Permissions.RemoteServersBoard.Default) on the menu. Modify the Permission Policy inside this function according to the actual situation.

Razor Pages Authorization#

Only authorizing menus does not truly protect the pages. If the page path is directly entered in the browser, the page can still be accessed. Therefore, the pages also need to be authorized:

  • Find *.Web\*WebModule.ConfigureServices() and locate the code for Configure<RazorPagesOptions>.

  • Refer to the existing configuration and add the following code to authorize the page path. Modify the page path and Permission Policy according to the actual situation:

    options.Conventions.AuthorizePage("/RemoteServers/Board/Remote", *Permissions.RemoteServersBoard.Remote);    

Razor Pages Server Side Render Authorization#

After authorizing the pages, the server-rendered content within the pages also needs to be authorized, i.e., only allowing the use of functionalities that the user has permission to use:

  • Add @inject IAuthorizationService AuthorizationService inside the Razor Pages page to inject the authorization service.

  • Add the following authorization code outside the server-rendered content that needs to be authorized. Modify the Permission Policy according to the actual situation:

    @if (await AuthorizationService.IsGrantedAsync(*Permissions.RemoteServersConfiguration.Create))

JavaScript Authorization#

Even after authorizing the Server Side Render content, the application is still not fully protected because some content is dynamically loaded through JavaScript. This part needs to be authorized using JavaScript:

  • Open the JavaScript code that needs to be authorized and add the following authorization code. Modify the Permission Policy according to the actual situation:

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.