public async Task AddDefaultRolesForFeatureAsync(Feature feature)
{
var featureName = feature.Descriptor.Id;
// when another module is being enabled, locate matching permission providers
var providersForEnabledModule = _permissionProviders.Where(x => _typeFeatureProvider.GetFeatureForDependency(x.GetType())?.Descriptor?.Id == featureName);
if (Logger.IsEnabled(LogLevel.Debug))
{
if (providersForEnabledModule.Any())
{
Logger.LogDebug($"Configuring default roles for module {featureName}");
}
else
{
Logger.LogDebug($"No default roles for module {featureName}");
}
}
foreach (var permissionProvider in providersForEnabledModule)
{
// get and iterate stereotypical groups of permissions
var stereotypes = permissionProvider.GetDefaultStereotypes();
foreach (var stereotype in stereotypes)
{
// turn those stereotypes into roles
var role = await _roleManager.FindByNameAsync(stereotype.Name);
if (role == null)
{
if (Logger.IsEnabled(LogLevel.Information))
{
Logger.LogInformation($"Defining new role {stereotype.Name} for permission stereotype");
}
role = new Role { RoleName = stereotype.Name };
await _roleManager.CreateAsync(role);
}
// and merge the stereotypical permissions into that role
var stereotypePermissionNames = (stereotype.Permissions ?? Enumerable.Empty<Permission>()).Select(x => x.Name);
var currentPermissionNames = role.RoleClaims.Where(x => x.ClaimType == Permission.ClaimType).Select(x => x.ClaimValue);
var distinctPermissionNames = currentPermissionNames
.Union(stereotypePermissionNames)
.Distinct();
// update role if set of permissions has increased
var additionalPermissionNames = distinctPermissionNames.Except(currentPermissionNames);
if (additionalPermissionNames.Any())
{
foreach (var permissionName in additionalPermissionNames)
{
if (Logger.IsEnabled(LogLevel.Debug))
{
Logger.LogInformation("Default role {0} granted permission {1}", stereotype.Name, permissionName);
}
await _roleManager.AddClaimAsync(role, new Claim(Permission.ClaimType, permissionName));
}
}
}
}
}
private async Task<IEnumerable<string>> GetEffectivePermissions(Role role, IEnumerable<Permission> allPermissions)
{
// Create a fake user to check the actual permissions. If the role is anonymous
// IsAuthenticated needs to be false.
var fakeUser = new ClaimsPrincipal(
new ClaimsIdentity(new[] { new Claim(ClaimTypes.Role, role.RoleName)},
role.RoleName != "Anonymous" ? "FakeAuthenticationType" : null)
);
var result = new List<string>();
foreach(var permission in allPermissions)
{
if (await _authorizationService.AuthorizeAsync(fakeUser, permission))
{
result.Add(permission.Name);
}
}
return result;
}
public async Task<IActionResult> Create(CreateRoleViewModel model)
{
if (ModelState.IsValid)
{
model.RoleName = model.RoleName.Trim();
if (await _roleManager.FindByNameAsync(model.RoleName) != null)
{
ModelState.AddModelError(string.Empty, T["The role is already used."]);
}
}
if (ModelState.IsValid)
{
var role = new Role { RoleName = model.RoleName };
var result = await _roleManager.CreateAsync(role);
if (result.Succeeded)
{
_notifier.Success(TH["Role created successfully"]);
return RedirectToAction(nameof(Index));
}
_session.Cancel();
foreach (var error in result.Errors)
{
ModelState.AddModelError(string.Empty, error.Description);
}
}
// If we got this far, something failed, redisplay form
return View(model);
}
private RoleEntry BuildRoleEntry(Role role)
{
return new RoleEntry
{
Name = role.RoleName,
Selected = false
};
}