Open Closed

Query On Role Assignment - Identity Module #2500


User avatar
0
arbasu@microsoft.com created

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

If you're creating a bug/problem report, please include followings:

  • ABP Framework version: v4.4
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes (identity server separated) Angular
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

Create a Role : Owner Assign Permissions: For User Management

Assign a User (U1) to the role Owner.

Now when this user U1, adds/edits any other user U2, he/she is able to assign other roles like Admin to U2.

We dont want this behavior. An owner can assign any other non-admin roles but not admin role. How can we achieve this out of the box? Also we have made the roles non-default and non-public, still those are visible to users.

<br>

<br>


3 Answer(s)
  • User Avatar
    0
    enisn created
    Support Team

    As a logic you're right. It can be a business logic such as you mentioned. But currently, ABP doesn't implement that kind of logic.

    The shortest way to perform that operation is overriding IdentityUserAppService

    [Dependency(ReplaceServices = true)]
    public class MyCustomIdentityUserAppService : IdentityUserAppService
    {
        public MyCustomIdentityUserAppService(
            IdentityUserManager userManager, 
            IIdentityUserRepository userRepository, 
            IIdentityRoleRepository roleRepository, 
            IOptions<IdentityOptions> identityOptions) : base(userManager, userRepository, roleRepository, identityOptions)
        {
        }
    
        public override async Task<ListResultDto<IdentityRoleDto>> GetAssignableRolesAsync()
        {
            var roles = await base.GetAssignableRolesAsync();
            
            if (/* Your condition.*/) // CurrentUser.UserName == "admin"
            {
                var customRoleList = roles.Items.ToList();
                customRoleList.Remove(roles.Items.FirstOrDefault(x => x.Name == "admin"));
    
                return new ListResultDto<IdentityRoleDto>(customRoleList);
            }
    
            return roles;
        }
    }```
    
  • User Avatar
    0
    arbasu@microsoft.com created

    So just to summarize, does this mean, we need to define a custom ui and integrate the same with a custom service. This custom service will override the logic by inheriting IdentityUserAppService (as you mentioned above).

    is that the case?

  • User Avatar
    0
    enisn created
    Support Team

    No, you don't need to define a custom UI. Just override only IdentityUserAppService, and the existing UI will use the same endpoint. You'll just add some custom logic for existing AppService logic.

Made with ❤️ on ABP v9.2.0-preview. Updated on January 14, 2025, 14:54