abp AppService 覆寫 Method 的 Authorize?

問題

同事繼承 Abp 範例中的 AuthorAppService ,將 UpdateAsync 設定成 virtual ,允許子類別去覆寫。
子類別在覆寫的 UpdateAsync 上,加上另個 Authorize 的設定,
結果要執行UpdateAsync變成需要有 2 個 Policy 的權限才可以執行。

測試

範例的AuthorAppService,其中的UpdateAsync設定成virtual,如下,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
[Authorize(BookStorePermissions.Authors.Default)]
public class AuthorAppService : BookStoreAppService, IAuthorAppService
{
    private readonly IAuthorRepository _authorRepository;
    private readonly AuthorManager _authorManager;
    public AuthorAppService(
        IAuthorRepository authorRepository,
        AuthorManager authorManager)
    {
        _authorRepository = authorRepository;
        _authorManager = authorManager;
    }
    public async Task<AuthorDto> GetAsync(Guid id)
    {
        var author = await _authorRepository.GetAsync(id);
        return ObjectMapper.Map<Author, AuthorDto>(author);
    }

    public async Task<PagedResultDto<AuthorDto>> GetListAsync(GetAuthorListDto input)
    {
        if(input.Sorting.IsNullOrWhiteSpace())
        {
            input.Sorting = nameof(Author.Name);
        }

        var authors = await _authorRepository.GetListAsync(
            input.SkipCount,
            input.MaxResultCount,
            input.Sorting,
            input.Filter
        );

        var totalCount = input.Filter == null
            ? await _authorRepository.CountAsync()
            : await _authorRepository.CountAsync(
                author => author.Name.Contains(input.Filter)
            );

        return new PagedResultDto<AuthorDto>(
            totalCount,
            ObjectMapper.Map<List<Author>, List<AuthorDto>>(authors)
        );
    }

    [Authorize(BookStorePermissions.Authors.Create)]
    public async Task<AuthorDto> CreateAsync(CreateAuthorDto input)
    {
        var author = await _authorManager.CreateAsync(
            input.Name,
            input.BirthDate,
            input.ShortBio
        );

        await _authorRepository.InsertAsync(author);

        return ObjectMapper.Map<Author, AuthorDto>(author);
    }


    [Authorize(BookStorePermissions.Authors.Delete)]
    public async Task DeleteAsync(Guid id)
    {
        await _authorRepository.DeleteAsync(id);
    }



    [Authorize(BookStorePermissions.Authors.Edit)]
    public virtual async Task UpdateAsync(Guid id, UpdateAuthorDto input)
    {
        var author = await _authorRepository.GetAsync(id);
        if(author.Name != input.Name)
        {
            await _authorManager.ChangeNameAsync(author, input.Name);
        }
        author.BirthDate = input.BirthDate;
        author.ShortBio = input.ShortBio;

        await _authorRepository.UpdateAsync(author);
    }
}

因為要多加個BookStorePermissions.Authors.Edit2 Permission,
所以要在 BookStorePermissions中的Authors Class 中加入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
public static class BookStorePermissions
{
    public const string GroupName = "BookStore";
    public static class Books
    {
        public const string Default = GroupName + ".Books";
        public const string Create = Default + ".Create";
        public const string Edit = Default + ".Edit";
        public const string Delete = Default + ".Delete";
    }

    public static class Authors
    {
        public const string Default = GroupName + ".Authors";
        public const string Create = Default + ".Create";
        public const string Edit = Default + ".Edit";
        public const string Edit2 = Default + ".Edit2";
        public const string Delete = Default + ".Delete";
    }
}

BookStorePermissionDefinitionProvider中也要加入Edit2
authorsPermission.AddChild(BookStorePermissions.Authors.Edit2, L("Permission:Authors.Edit"));,如下,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
public class BookStorePermissionDefinitionProvider : PermissionDefinitionProvider
{
    public override void Define(IPermissionDefinitionContext context)
    {
        var bookStoreGroup = context.AddGroup(BookStorePermissions.GroupName, L("Permission:BookStore"));

        var booksPermission = bookStoreGroup.AddPermission(BookStorePermissions.Books.Default, L("Permission:Books"));
        booksPermission.AddChild(BookStorePermissions.Books.Create, L("Permission:Books.Create"));
        booksPermission.AddChild(BookStorePermissions.Books.Edit, L("Permission:Books.Edit"));
        booksPermission.AddChild(BookStorePermissions.Books.Delete, L("Permission:Books.Delete"));

        var authorsPermission = bookStoreGroup.AddPermission(BookStorePermissions.Authors.Default, L("Permission:Authors"));
        authorsPermission.AddChild(BookStorePermissions.Authors.Create, L("Permission:Authors.Create"));
        authorsPermission.AddChild(BookStorePermissions.Authors.Edit, L("Permission:Authors.Edit"));
        authorsPermission.AddChild(BookStorePermissions.Authors.Delete, L("Permission:Authors.Delete"));
        authorsPermission.AddChild(BookStorePermissions.Authors.Edit2, L("Permission:Authors.Edit"));
    }

    private static LocalizableString L(string name)
    {
        return LocalizableString.Create<BookStoreResource>(name);
    }
}

接著實作要繼承AuthorAppService的子類別CustomAuthorAppService

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[Dependency(ReplaceServices = true)]
[ExposeServices(typeof(AuthorAppService))]
public class CustomAuthorAppService : AuthorAppService
{
    public CustomAuthorAppService(
        IAuthorRepository authorRepository,
        AuthorManager authorManager)
        : base(authorRepository, authorManager)
    {

    }

    [Authorize(BookStorePermissions.Authors.Edit2)]
    public override async Task UpdateAsync(Guid id, UpdateAuthorDto input)
    {
        await base.UpdateAsync(id, input);
    }
}

新增一個MyPermissionChecker來查看執行UpdateAsync會需要那些的 Policy,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
public class MyPermissionChecker : IPermissionChecker
{
    public Task<bool> IsGrantedAsync(string name)
    {
        return TaskCache.TrueResult;
    }

    public Task<bool> IsGrantedAsync(ClaimsPrincipal? claimsPrincipal, string name)
    {
        return TaskCache.TrueResult;
    }

    public Task<MultiplePermissionGrantResult> IsGrantedAsync(string[] names)
    {
        return IsGrantedAsync(null, names);
    }

    public Task<MultiplePermissionGrantResult> IsGrantedAsync(ClaimsPrincipal? claimsPrincipal, string[] names)
    {
        return Task.FromResult(new MultiplePermissionGrantResult(names, PermissionGrantResult.Granted));
    }
}

再到ApplicationModule.cs中設定要以MyPermissionChecker取代原生的PermissionChecker
CustomAuthorAppService取代原本的AuthorAppService,如下,

1
2
3
4
5
6
public override void ConfigureServices(ServiceConfigurationContext context)
{
    //...其他程式 ...
    context.Services.Replace(ServiceDescriptor.Singleton<IPermissionChecker, MyPermissionChecker>());
    context.Services.Replace(ServiceDescriptor.Transient<IAuthorAppService, CustomAuthorAppService>());
}

測試結果

透過 Swagger 來測試時,在MyPermissionCheckerIsGrantedAsync方式設中斷點,
可以發現檢查順序為
BookStore.Authors->BookStore.Authors.Edit->BookStore.Authors.Edit2->BookStore.Authors.Edit->BookStore.Authors

所以可以發現,Method 上的Authorize的設定是疉加的效果。
所以如果是要覆寫的話,就使用原本的Authorize,不用特別再加一個新的Authorize
或是新增另一個 Method 去設定不同的Authorize
這個是 ASP.NET 原生的機制,不管是 Abp or ASP.NET 都是一樣的狀況哦。

參考資料

abp PermissionChecker.cs
abp AlwaysAllowPermissionChecker.cs

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

大家好,我是亂馬客 Rainmaker,目前任職於叡揚資訊,大家也都叫我 RM 。 平常負責開發公司各產品線的加值、共用的軟體,例如 Azure, OpenAI, Chatbot, Database ... 同時 Support 公司各種技術及資安修改問題。 Blog中的內容也是個人的看法, 如果有需要討論的地方, 可以留言,或是 mail 給我 :) rainmaker_ho@gss.com.tw