-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authorization in CrudAppService not working without overriding some functions #2253
Comments
as you have overrided the getAll method, you are responsible to check for permissions by using CheckGetAllPermission() before returning any result from overriden method. If you use the default implementation, it handles it internally Edit: |
The problem is not the authorization but the authentication. Changing the code as you suggested setting the PermissionName in the ctor I get the following response:
When calling the GetAll method I expected following response if I did not loggin:
|
This seems you are logged in using cookie authentication and your webapi does not suppress it to token auth only. Therefore the cookie is taken into account for api calls. Have you tried it in new incognito window without logging in? At least for .net this is how it works. I haven't tested it on core |
I am very sure that I have never logged in. The only thing I added to the .net core zero module template: An entity a repository and the crudservice. |
This is very strange. Will check it and fix if there is a bug. Thanks. |
It looks like the problem is adding [AbpAuthorize(PermissionNames.Parcells)] to a class that derives from the CrudAppService class that seems to cause problems. The error seems to happen within the PermissionCheckerExtensions . The IPermissionChecker that it uses seems to be incorrect, it seems to uses the base version not the version in the core project. Or to state more correctly a base version seems to be using these extensions rather than the PermissionChecker in the core project. Changing the class as below to remove the AbpAuthoriseAttribute and set the permission names in the constructor seems to work.
Another issue related to the same class, but that possibly requires another issue is that sometimes the sorting gets out of line. If you derive like this using PagedResultRequestDto rather that PagedAndSortedRequestDto
The sorting does this:
So it returns the correct page number for the results but that page is incorrectly sorted. |
Hi @AlanFlaherty, for the sorting issue, are you using EF Core? Also, are you doing a projection for the query, for example |
Hi @ismcagdas , I faced the same issue also. I think it could due to Perhaps using |
Abp package version: 2.1.3
Your base framework: .Net Core
Steps needed to reproduce the problem:
Using following code, I can call any CRUD function from SwaggerUI without Authorization
Using following code, I can call any method execpt GetAll without authorization.
Using following code, I can call no method without authorization.
The text was updated successfully, but these errors were encountered: