Open Closed

Custom implementation of IAuthorizationMiddlewareResultHandler does not provide details to client when navigating to a page from browser URL #2075


User avatar
0
alexander.nikonov created

4.3.0 / Angular / separate IdentityServer

I have custom implementation of IAuthorizationMiddlewareResultHandler (it checks missing permissions for a user) and I want to provide additional exception info from it to Angular client in pop-up window. It works in some scenarios - like the page is accessed from navigation menu and it misses some permission. But if I try to access the page which is not accessible via typing its address in a browser - I ALWAYS get the following page without details:


5 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team

    Hi,

    Can you provide steps to reproduce? thanks.

  • User Avatar
    0
    alexander.nikonov created

    Hi. Here is the reproducable situation in the test project attached. Let's say I'm trying to access http://localhost:4200/dashboard via typing the address in a browser and the logged user does not have access to this page. IAuthorizationMiddlewareResultHandlerimplementation is even not triggered - straight away default 403 forbidden is shown.

    P.S. Could you please add possibility to attach code zip archives to a message? It's not user-friendly to create cloud links each time.

  • User Avatar
    0
    liangshiwei created
    Support Team

    Hi,

    I will check it.

    You will notice that I deleted the file link, because your license is included in the source code, I don't think you want to disclose it :)

  • User Avatar
    0
    liangshiwei created
    Support Team

    Hi,

    Try:

    [Dependency(ReplaceServices = true)]
    [ExposeServices(typeof(IMethodInvocationAuthorizationService))]
    public class MyMethodInvocationAuthorizationService : IMethodInvocationAuthorizationService, ITransientDependency
    {
        private readonly IAbpAuthorizationPolicyProvider _abpAuthorizationPolicyProvider;
        private readonly IAbpAuthorizationService _abpAuthorizationService;
    
        public MyMethodInvocationAuthorizationService(IAbpAuthorizationPolicyProvider abpAuthorizationPolicyProvider, IAbpAuthorizationService abpAuthorizationService)
        {
            _abpAuthorizationPolicyProvider = abpAuthorizationPolicyProvider;
            _abpAuthorizationService = abpAuthorizationService;
        }
    
        public async Task CheckAsync(MethodInvocationAuthorizationContext context)
        {
            if (AllowAnonymous(context))
            {
                return;
            }
    
            var authorizationPolicy = await AuthorizationPolicy.CombineAsync(
                _abpAuthorizationPolicyProvider,
                GetAuthorizationDataAttributes(context.Method)
            );
    
            if (authorizationPolicy == null)
            {
                return;
            }
    
    
            var result = await _abpAuthorizationService.AuthorizeAsync(authorizationPolicy);
    
            if (!result.Succeeded)
            {
                var requirements = result.Failure.FailedRequirements;
    
                var missingPermissionBuilder = new StringBuilder();
    
                foreach (var requirement in requirements)
                {
                    if (requirement is PermissionRequirement abpRequirement)
                    {
                        missingPermissionBuilder.AppendLine(abpRequirement.PermissionName);
                    }
                }
    
                throw new AuthorizationException(
                    $"The next permissions are required:\r\n\r\n{missingPermissionBuilder}");
            }
        }
    
        protected virtual bool AllowAnonymous(MethodInvocationAuthorizationContext context)
        {
            return context.Method.GetCustomAttributes(true).OfType<IAllowAnonymous>().Any();
        }
    
        protected virtual IEnumerable<IAuthorizeData> GetAuthorizationDataAttributes(MethodInfo methodInfo)
        {
            var attributes = methodInfo
                .GetCustomAttributes(true)
                .OfType<IAuthorizeData>();
    
            if (methodInfo.IsPublic && methodInfo.DeclaringType != null)
            {
                attributes = attributes
                    .Union(
                        methodInfo.DeclaringType
                            .GetCustomAttributes(true)
                            .OfType<IAuthorizeData>()
                    );
            }
    
            return attributes;
        }
    }
    

    Is this what you want?

  • User Avatar
    0
    liangshiwei created
    Support Team

    Re-open if still not work.

Made with ❤️ on ABP v9.2.0-preview. Updated on January 14, 2025, 14:54