十、Abp vNext 基础篇丨权限
介绍
本章节来把接口的权限加一下
权限配置和使用
官方地址:https://docs.abp.io/en/abp/latest/Authorization
下面这种代码可能我们日常开发都写过,ASP.NET Core 提供的Authorize特性来帮我们做授权,但是BookStore_Author_Create策略,需要我们去手动声明。
Abp定义了一个叫Permission System叫权限系统啥的都可以,来帮助我们轻松的搞定授权,具体怎么玩看下面代码就三部。
一、定义常量
public static class CorePermissions{public const string GroupName = "Bvcp.Core";public static class Blogs{public const string Default = GroupName + ".Blog";public const string Management = Default + ".Management";public const string Delete = Default + ".Delete";public const string Update = Default + ".Update";public const string Create = Default + ".Create";public const string ClearCache = Default + ".ClearCache";}public static class Posts{public const string Default = GroupName + ".Post";public const string Delete = Default + ".Delete";public const string Update = Default + ".Update";public const string Create = Default + ".Create";}public static class Tags{public const string Default = GroupName + ".Tag";public const string Delete = Default + ".Delete";public const string Update = Default + ".Update";public const string Create = Default + ".Create";}public static class Comments{public const string Default = GroupName + ".Comment";public const string Delete = Default + ".Delete";public const string Update = Default + ".Update";public const string Create = Default + ".Create";}public static string[] GetAll(){return ReflectionHelper.GetPublicConstantsRecursively(typeof(CorePermissions));}}
二、添加权限配置
public class CorePermissionDefinitionProvider : PermissionDefinitionProvider{public override void Define(IPermissionDefinitionContext context){var bloggingGroup = context.AddGroup(CorePermissions.GroupName, L("Permission:Core"));var blogs = bloggingGroup.AddPermission(CorePermissions.Blogs.Default, L("Permission:Blogs"));blogs.AddChild(CorePermissions.Blogs.Management, L("Permission:Management"));blogs.AddChild(CorePermissions.Blogs.Update, L("Permission:Edit"));blogs.AddChild(CorePermissions.Blogs.Delete, L("Permission:Delete"));blogs.AddChild(CorePermissions.Blogs.Create, L("Permission:Create"));blogs.AddChild(CorePermissions.Blogs.ClearCache, L("Permission:ClearCache"));var posts = bloggingGroup.AddPermission(CorePermissions.Posts.Default, L("Permission:Posts"));posts.AddChild(CorePermissions.Posts.Update, L("Permission:Edit"));posts.AddChild(CorePermissions.Posts.Delete, L("Permission:Delete"));posts.AddChild(CorePermissions.Posts.Create, L("Permission:Create"));var tags = bloggingGroup.AddPermission(CorePermissions.Tags.Default, L("Permission:Tags"));tags.AddChild(CorePermissions.Tags.Update, L("Permission:Edit"));tags.AddChild(CorePermissions.Tags.Delete, L("Permission:Delete"));tags.AddChild(CorePermissions.Tags.Create, L("Permission:Create"));var comments = bloggingGroup.AddPermission(CorePermissions.Comments.Default, L("Permission:Comments"));comments.AddChild(CorePermissions.Comments.Update, L("Permission:Edit"));comments.AddChild(CorePermissions.Comments.Delete, L("Permission:Delete"));comments.AddChild(CorePermissions.Comments.Create, L("Permission:Create"));}private static LocalizableString L(string name){return LocalizableString.Create<CoreResource>(name);}}
三、使用
Authorize(CorePermissions.Posts.Delete)]
资源授权方案
资源授权可能用过的人不多,代码都会在整体的修改代码一节这里先看就行,可以参考微软官方文档
有些场景下,授权需要依赖于要访问的资源,例如:每个资源通常会有一个创建者属性,我们只允许该资源的创建者才可以对其进行编辑,删除等操作,这就无法通过[Authorize]特性来指定授权了。因为授权过滤器会在我们的应用代码之前执行,无法确定所访问的资源。此时,我们需要使用基于资源的授权,下面就来演示一下具体是如何操作的。
定义资源Requirement
在基于资源的授权中,我们要判断的是用户是否具有针对该资源的某项操作,因此,我们先定义一个代表操作的Requirement:
public static class CommonOperations{public static OperationAuthorizationRequirement Update = new OperationAuthorizationRequirement { Name = nameof(Update) };public static OperationAuthorizationRequirement Delete = new OperationAuthorizationRequirement { Name = nameof(Delete) };}
实现资源授权Handler
每一个 Requirement 都需要有一个对应的 Handler,来完成授权逻辑,可以直接让 Requirement 实现IAuthorizationHandler接口。
我们是根据资源的创建者来判断用户是否具有操作权限,实现我们的授权Handler:
public class CommentAuthorizationHandler : AuthorizationHandler<OperationAuthorizationRequirement, Comment>{private readonly IPermissionChecker _permissionChecker;public CommentAuthorizationHandler(IPermissionChecker permissionChecker){_permissionChecker = permissionChecker;}protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,OperationAuthorizationRequirement requirement,Comment resource){if (requirement.Name == CommonOperations.Delete.Name && await HasDeletePermission(context, resource)){context.Succeed(requirement);return;}if (requirement.Name == CommonOperations.Update.Name && await HasUpdatePermission(context, resource)){context.Succeed(requirement);return;}}private async Task<bool> HasDeletePermission(AuthorizationHandlerContext context, Comment resource){// 判断创建人是否是登陆人if (resource.CreatorId != null && resource.CreatorId == context.User.FindUserId()){return true;}// 判断当前用户是否满足资源操作策略if (await _permissionChecker.IsGrantedAsync(context.User, CorePermissions.Comments.Delete)){return true;}return false;}private async Task<bool> HasUpdatePermission(AuthorizationHandlerContext context, Comment resource){// 判断创建人是否是登陆人if (resource.CreatorId != null && resource.CreatorId == context.User.FindUserId()){return true;}// 判断当前用户是否满足资源操作策略if (await _permissionChecker.IsGrantedAsync(context.User, CorePermissions.Comments.Update)){return true;}return false;}}
注册Handler,这一点不要忘了
public class CoreApplicationModule : AbpModule{public override void ConfigureServices(ServiceConfigurationContext context){Configure<AbpAutoMapperOptions>(options =>{options.AddMaps<CoreApplicationModule>();});Configure<AuthorizationOptions>(options =>{options.AddPolicy("BloggingUpdatePolicy", policy => policy.Requirements.Add(CommonOperations.Update));options.AddPolicy("BloggingDeletePolicy", policy => policy.Requirements.Add(CommonOperations.Delete));});context.Services.AddSingleton<IAuthorizationHandler, CommentAuthorizationHandler>();context.Services.AddSingleton<IAuthorizationHandler, PostAuthorizationHandler>();}}
使用策略授权
[Authorize]public async Task<CommentWithDetailsDto> UpdateAsync(Guid id, UpdateCommentDto input){var comment = await _commentRepository.GetAsync(id);// 检测是否有权限await AuthorizationService.CheckAsync(comment, CommonOperations.Update);comment.SetText(input.Text);comment = await _commentRepository.UpdateAsync(comment);return ObjectMapper.Map<Comment, CommentWithDetailsDto>(comment);}
整体的修改代码
public static class CommonOperations{public static OperationAuthorizationRequirement Update = new OperationAuthorizationRequirement { Name = nameof(Update) };public static OperationAuthorizationRequirement Delete = new OperationAuthorizationRequirement { Name = nameof(Delete) };}
public class CommentAuthorizationHandler : AuthorizationHandler<OperationAuthorizationRequirement, Comment>{private readonly IPermissionChecker _permissionChecker;public CommentAuthorizationHandler(IPermissionChecker permissionChecker){_permissionChecker = permissionChecker;}protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,OperationAuthorizationRequirement requirement,Comment resource){if (requirement.Name == CommonOperations.Delete.Name && await HasDeletePermission(context, resource)){context.Succeed(requirement);return;}if (requirement.Name == CommonOperations.Update.Name && await HasUpdatePermission(context, resource)){context.Succeed(requirement);return;}}private async Task<bool> HasDeletePermission(AuthorizationHandlerContext context, Comment resource){if (resource.CreatorId != null && resource.CreatorId == context.User.FindUserId()){return true;}if (await _permissionChecker.IsGrantedAsync(context.User, CorePermissions.Comments.Delete)){return true;}return false;}private async Task<bool> HasUpdatePermission(AuthorizationHandlerContext context, Comment resource){if (resource.CreatorId != null && resource.CreatorId == context.User.FindUserId()){return true;}if (await _permissionChecker.IsGrantedAsync(context.User, CorePermissions.Comments.Update)){return true;}return false;}}
public class PostAuthorizationHandler : AuthorizationHandler<OperationAuthorizationRequirement, Post>{private readonly IPermissionChecker _permissionChecker;public PostAuthorizationHandler(IPermissionChecker permissionChecker){_permissionChecker = permissionChecker;}protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, OperationAuthorizationRequirement requirement,Post resource){if (requirement.Name == CommonOperations.Delete.Name && await HasDeletePermission(context, resource)){context.Succeed(requirement);return;}if (requirement.Name == CommonOperations.Update.Name && await HasUpdatePermission(context, resource)){context.Succeed(requirement);return;}}private async Task<bool> HasDeletePermission(AuthorizationHandlerContext context, Post resource){if (resource.CreatorId != null && resource.CreatorId == context.User.FindUserId()){return true;}if (await _permissionChecker.IsGrantedAsync(context.User, CorePermissions.Posts.Delete)){return true;}return false;}private async Task<bool> HasUpdatePermission(AuthorizationHandlerContext context, Post resource){if (resource.CreatorId != null && resource.CreatorId == context.User.FindUserId()){return true;}if (await _permissionChecker.IsGrantedAsync(context.User, CorePermissions.Posts.Update)){return true;}return false;}}
CoreApplicationModule.cs
public class CoreApplicationModule : AbpModule{public override void ConfigureServices(ServiceConfigurationContext context){Configure<AbpAutoMapperOptions>(options =>{options.AddMaps<CoreApplicationModule>();});// 注册Configure<AuthorizationOptions>(options =>{options.AddPolicy("BloggingUpdatePolicy", policy => policy.Requirements.Add(CommonOperations.Update));options.AddPolicy("BloggingDeletePolicy", policy => policy.Requirements.Add(CommonOperations.Delete));});context.Services.AddSingleton<IAuthorizationHandler, CommentAuthorizationHandler>();context.Services.AddSingleton<IAuthorizationHandler, PostAuthorizationHandler>();}}
CommentAppService.cs
[Authorize]public async Task<CommentWithDetailsDto> UpdateAsync(Guid id, UpdateCommentDto input){var comment = await _commentRepository.GetAsync(id);await AuthorizationService.CheckAsync(comment, CommonOperations.Update);comment.SetText(input.Text);comment = await _commentRepository.UpdateAsync(comment);return ObjectMapper.Map<Comment, CommentWithDetailsDto>(comment);}[Authorize]public async Task DeleteAsync(Guid id){var comment = await _commentRepository.GetAsync(id);await AuthorizationService.CheckAsync(comment, CommonOperations.Delete);var replies = await _commentRepository.GetRepliesOfComment(id);foreach (var reply in replies){await _commentRepository.DeleteAsync(reply.Id);}}
PostAppService.cs
[Authorize(CorePermissions.Posts.Delete)]public async Task DeleteAsync(Guid id){// 查找文章var post = await _postRepository.GetAsync(id);// 判断是否有资源操作权await AuthorizationService.CheckAsync(post, CommonOperations.Delete);// 根据文章获取Tagsvar tags = await GetTagsOfPost(id);// 减少Tag引用数量await _tagRepository.DecreaseUsageCountOfTagsAsync(tags.Select(t => t.Id).ToList());// 删除评论await _commentRepository.DeleteOfPost(id);// 删除文章await _postRepository.DeleteAsync(id);await PublishPostChangedEventAsync(post.BlogId);}[Authorize(CorePermissions.Posts.Update)]public async Task<PostWithDetailsDto> UpdateAsync(Guid id, UpdatePostDto input){var post = await _postRepository.GetAsync(id);input.Url = await RenameUrlIfItAlreadyExistAsync(input.BlogId, input.Url, post);await AuthorizationService.CheckAsync(post, CommonOperations.Update);post.SetTitle(input.Title);post.SetUrl(input.Url);post.Content = input.Content;post.Description = input.Description;post.CoverImage = input.CoverImage;post = await _postRepository.UpdateAsync(post);var tagList = SplitTags(input.Tags);await SaveTags(tagList, post);await PublishPostChangedEventAsync(post.BlogId);return ObjectMapper.Map<Post, PostWithDetailsDto>(post);}
十、Abp vNext 基础篇丨权限的更多相关文章
- 六、Abp vNext 基础篇丨文章聚合功能上
介绍 9月开篇讲,前面几章群里已经有几个小伙伴跟着做了一遍了,遇到的问题和疑惑也都在群里反馈和解决好了,9月咱们保持保持更新.争取10月份更新完基础篇. 另外番外篇属于 我在abp群里和日常开发的问题 ...
- 十一、Abp vNext 基础篇丨测试
前言 祝大家国庆快乐,本来想国庆之前更新完的,结果没写完,今天把剩下的代码补了一下总算ok了. 本章节也是我们后端日常开发中最重要的一步就是测试,我们经常听到的单元测试.集成测试.UI测试.系统测试, ...
- Abp vNext 基础篇丨分层架构
介绍 本章节对 ABP 框架进行一个简单的介绍,摘自ABP官方,后面会在使用过程中对各个知识点进行细致的讲解. 领域驱动设计 领域驱动设计(简称:DDD)是一种针对复杂需求的软件开发方法.将软件实现与 ...
- 七、Abp vNext 基础篇丨文章聚合功能下
介绍 不好意思这篇文章应该早点更新的,这几天在忙CICD的东西没顾得上,等后面整好了CICD我也发2篇文章讲讲,咱们进入正题,这一章来补全剩下的 2个接口和将文章聚合进行完善. 开工 上一章大部分业务 ...
- Abp vNext 基础篇丨领域构建
介绍 我们将通过例⼦介绍和解释⼀些显式规则.在实现领域驱动设计时,应该遵循这些规则并将其应⽤到解决⽅案中. 领域划分 首先我们先对比下Blog.Core和本次重构设计上的偏差,可以看到多了一个博客管理 ...
- 五、Abp vNext 基础篇丨博客聚合功能
介绍 业务篇章先从客户端开始写,另外补充一下我给项目起名的时候没多想起的太随意了,结果后面有些地方命名冲突了需要通过手动using不过问题不大. 开工 应用层 根据第三章分层架构里面讲到的现在我们模型 ...
- 八、Abp vNext 基础篇丨标签聚合功能
介绍 本章节先来把上一章漏掉的上传文件处理下,然后实现Tag功能. 上传文件 上传文件其实不含在任何一个聚合中,它属于一个独立的辅助性功能,先把抽象接口定义一下,在Bcvp.Blog.Core.App ...
- 九、Abp vNext 基础篇丨评论聚合功能
介绍 评论本来是要放到标签里面去讲的,但是因为上一章东西有点多了,我就没放进去,这一章单独拿出来,内容不多大家自己写写就可以,也算是对前面讲解的一个小练习吧. 相关注释我也加在代码上面了,大家看看代码 ...
- Django基础篇--用户权限管理和组管理
Django作为一个成熟的python后台开发框架,为开发者提供了很多内置的功能,开发者只需要做一些配置就可以完成原生操作中比较复杂的代码编写.这些内置功能中其中一个比较强大的功能就是后台用户管理类. ...
随机推荐
- linux 高并发socket通信模型
------select 1 一个误区很多人认为它最大可以监听1024个,实际上却是文件描述符的值不能大于等于1024,所以除掉标准输入.输出.错误输出,一定少于1024个,如果在之前还打开了其他文件 ...
- Create Virtual Machines with Vagrant and Puppet
Create the following puppet manifest and start VM with vagrant, you get a base production environmen ...
- java JNI介绍
java JNI介绍 目录 java JNI介绍 1. Java调用C++代码 2.C++代码调用java代码 JNI是Java Native Interface的全称. oracle文档中是这样描述 ...
- Django 反向解析 request CBV
正则路径中的分组 无名分组 分组的概念:就是给某一段正则表达式用小括号括起来 无名分组按位置传参数,一一对应. view中除去request,其他形参数量要与urls中分组数量一致. 无名分组就是将括 ...
- 接入华为应用内支付,验证购买Token接口,返回“rights invalid”
有海外开发者向我们提问:我在应用中集成了华为应用内支付SDK(测试购买订阅型商品),按照文档说明,在服务器去请求验证购买Token接口的时候返回了{"responseCode":& ...
- Python中用max()筛选出列表中出现次数最多的元素
1 List = [1,2,3,4,2,3,2] # 随意创建一个只有数字的列表 2 maxTimes = max(List,key=List.count) # maxTimes指列表中出现次数最多的 ...
- SpringBoot开启异步方法
在启动类上加入@EnableAsync 异步方法 /** * 简单文本邮件 * @param to 收件人 * @param subject 主题 * @param content 内容 */ @As ...
- 获取sim 卡的IMEI 和 IMSI
IReadOnlyList<string> networkAccIds = Windows.Networking.NetworkOperators.MobileBroadbandAccou ...
- git 的指定参考教程
https://www.runoob.com/git/git-create-repository.html
- Java中Byte类型数据在运算中的问题
比如: byte a=1; byte b=2; byte c; c=a+b; //这样是计算不出c,是错误的 c=a+1; //这样也是不能计算c的 c=64+1; //为什么这样就能计算c,在Jav ...