Authorization in CrudAppService not working without overriding some functions

[KlemensE]

• Abp package version: 2.1.3

• Your base framework: .Net Core

• Steps needed to reproduce the problem:

Using following code, I can call any CRUD function from SwaggerUI without Authorization

namespace ViPlanner.Parcells
{
    [AbpAuthorize(PermissionNames.Parcells)]
    public class ParcellService : CrudAppService<Parcell, ParcellDto, int, PagedAndSortedResultRequestDto, CreateParcellInput, UpdateParcellInput>, IParcellService
    {
        public ParcellService(IRepository<Parcell, int> repository)
            : base(repository)
        {
        }
    }
}

Using following code, I can call any method execpt GetAll without authorization.

namespace ViPlanner.Parcells
{
    [AbpAuthorize(PermissionNames.Parcells)]
    public class ParcellService : CrudAppService<Parcell, ParcellDto, int, PagedAndSortedResultRequestDto, CreateParcellInput, UpdateParcellInput>, IParcellService
    {
        public ParcellService(IRepository<Parcell, int> repository)
            : base(repository)
        {
        }

        public override PagedResultDto<ParcellDto> GetAll(PagedAndSortedResultRequestDto input)
        {
            return base.GetAll(input);
        }
    }
}

Using following code, I can call no method without authorization.

namespace ViPlanner.Parcells
{
    [AbpAuthorize(PermissionNames.Parcells)]
    public class ParcellService : CrudAppService<Parcell, ParcellDto, int, PagedAndSortedResultRequestDto, CreateParcellInput, UpdateParcellInput>, IParcellService
    {
        public ParcellService(IRepository<Parcell, int> repository)
            : base(repository)
        {
        }

        protected override void CheckPermission(string permissionName)
        {
            base.CheckPermission(permissionName);
        }
    }
}

[tamys]

as you have overrided the getAll method, you are responsible to check for permissions by using CheckGetAllPermission() before returning any result from overriden method. If you use the default implementation, it handles it internally

Edit:
The permission should be defined in the constructor of your crud service
GetAllPermissionName = PermissionNames.Editor_Events_GetAll;

[KlemensE]

The problem is not the authorization but the authentication.

Changing the code as you suggested setting the PermissionName in the ctor I get the following response:

{
  "result": null,
  "targetUrl": null,
  "success": false,
  "error": {
    "code": 0,
    "message": "Required permissions are not granted. At least one of these permissions must be granted: Parcells.GetAll",
    "details": null,
    "validationErrors": null
  },
  "unAuthorizedRequest": true,
  "__abp": true
}

When calling the GetAll method I expected following response if I did not loggin:

{
  "result": null,
  "targetUrl": null,
  "success": false,
  "error": {
    "code": 0,
    "message": "Current user did not login to the application!",
    "details": null,
    "validationErrors": null
  },
  "unAuthorizedRequest": true,
  "__abp": true
}

[tamys]

This seems you are logged in using cookie authentication and your webapi does not suppress it to token auth only. Therefore the cookie is taken into account for api calls. Have you tried it in new incognito window without logging in? At least for .net this is how it works. I haven't tested it on core

[KlemensE]

I am very sure that I have never logged in. The only thing I added to the .net core zero module template: An entity a repository and the crudservice.

[hikalkan]

This is very strange. Will check it and fix if there is a bug. Thanks.

[AlanFlaherty]

It looks like the problem is adding [AbpAuthorize(PermissionNames.Parcells)] to a class that derives from the CrudAppService class that seems to cause problems. The error seems to happen within the PermissionCheckerExtensions . The IPermissionChecker that it uses seems to be incorrect, it seems to uses the base version not the version in the core project. Or to state more correctly a base version seems to be using these extensions rather than the PermissionChecker in the core project.

Changing the class as below to remove the AbpAuthoriseAttribute and set the permission names in the constructor seems to work.

public class ParcellService : CrudAppService<Parcell, ParcellDto, int, PagedAndSortedResultRequestDto, CreateParcellInput, UpdateParcellInput>, IParcellService
{
    public ParcellService(IRepository<Parcell, int> repository)
        : base(repository)
    {
            CreatePermissionName 
            = GetAllPermissionName 
            = GetPermissionName 
            = UpdatePermissionName
            = DeletePermissionName
            = PermissionNames.Parcells;        
    }
}

Another issue related to the same class, but that possibly requires another issue is that sometimes the sorting gets out of line.

If you derive like this using PagedResultRequestDto rather that PagedAndSortedRequestDto

public class ItemAppService CrudAppService<Item, ItemDto, int, PagedResultRequestDto, CreateItemInput, UpdateItemInput>

The sorting does this:

• sorts the results
• takes a page << this .Take() resets the sorting order on the query
• does not resort the page before returning it to the client

So it returns the correct page number for the results but that page is incorrectly sorted.

[ryancyq]

Hi @AlanFlaherty, for the sorting issue, are you using EF Core? Also, are you doing a projection for the query, for example .Select(e => new MyProjection(){ });?

[ryancyq]

Hi @ismcagdas , I faced the same issue also.

I think it could due to ReflectionHelper.GetAttributesOfMemberAndDeclaringType is using memberInfo.DeclaringType.

Perhaps using MemberInfo.ReflectedType is more appropriate?