diff --git a/docs/en/framework/infrastructure/background-jobs/hangfire.md b/docs/en/framework/infrastructure/background-jobs/hangfire.md index da0e3953ab..8377f001c0 100644 --- a/docs/en/framework/infrastructure/background-jobs/hangfire.md +++ b/docs/en/framework/infrastructure/background-jobs/hangfire.md @@ -159,14 +159,24 @@ app.UseAbpHangfireDashboard("/hangfire", options => `AbpHangfireAuthorizationFilter` class has the following fields: * **`enableTenant` (`bool`, default: `false`):** Enables/disables accessing the Hangfire dashboard on tenant users. -* **`requiredPermissionName` (`string`, default: `null`):** Hangfire dashboard is accessible only if the current user has the specified permission. In this case, if we specify a permission name, we don't need to set `enableTenant` `true` because the permission system already does it. +* **`requiredPermissionName` (`string`, default: `null`):** Hangfire dashboard is accessible only if the current user has the specified permission. +* **`requiredRoleNames` (`string[]`, default: `[]`):** Hangfire dashboard is accessible only if the current user has one of the specified roles. -If you want to require an additional permission, you can pass it into the constructor as below: +If you want to require more policies, you can use the `PolicyBuilder` property of the `AbpHangfireAuthorizationFilter` class. ```csharp app.UseAbpHangfireDashboard("/hangfire", options => { - options.AsyncAuthorization = new[] { new AbpHangfireAuthorizationFilter(requiredPermissionName: "MyHangFireDashboardPermissionName") }; + var hangfireAuthorizationFilter = new AbpHangfireAuthorizationFilter(requiredPermissionName: "MyHangFireDashboardPermissionName"); + + //hangfireAuthorizationFilter.PolicyBuilder.AddRequirements(new PermissionRequirement("YourPermissionName")); + //hangfireAuthorizationFilter.PolicyBuilder.RequireRole("YourCustomRole"); + //hangfireAuthorizationFilter.PolicyBuilder.Requirements.Add(new YourCustomRequirement()); + + options.AsyncAuthorization = new[] + { + hangfireAuthorizationFilter + }; }); ``` diff --git a/framework/src/Volo.Abp.HangFire/Volo/Abp/Hangfire/AbpHangfireAuthorizationFilter.cs b/framework/src/Volo.Abp.HangFire/Volo/Abp/Hangfire/AbpHangfireAuthorizationFilter.cs index bd65b22dba..d49c211ee5 100644 --- a/framework/src/Volo.Abp.HangFire/Volo/Abp/Hangfire/AbpHangfireAuthorizationFilter.cs +++ b/framework/src/Volo.Abp.HangFire/Volo/Abp/Hangfire/AbpHangfireAuthorizationFilter.cs @@ -1,53 +1,49 @@ using System; +using System.Collections.Generic; using System.Threading.Tasks; using Hangfire.Dashboard; +using Microsoft.AspNetCore.Authorization; using Microsoft.Extensions.DependencyInjection; -using Volo.Abp.Authorization.Permissions; -using Volo.Abp.Users; +using Volo.Abp.Authorization; +using Volo.Abp.MultiTenancy; namespace Volo.Abp.Hangfire; public class AbpHangfireAuthorizationFilter : IDashboardAsyncAuthorizationFilter { private readonly bool _enableTenant; - private readonly string? _requiredPermissionName; + private readonly AuthorizationPolicyBuilder _policyBuilder; - public AbpHangfireAuthorizationFilter(bool enableTenant = false, string? requiredPermissionName = null) - { - _enableTenant = requiredPermissionName.IsNullOrWhiteSpace() ? enableTenant : true; - _requiredPermissionName = requiredPermissionName; - } + public virtual AuthorizationPolicyBuilder PolicyBuilder => _policyBuilder; - public async Task AuthorizeAsync(DashboardContext context) + public AbpHangfireAuthorizationFilter(bool enableTenant = false, string? requiredPermissionName = null, params string[]? requiredRoleNames) { - if (!IsLoggedIn(context, _enableTenant)) + _enableTenant = enableTenant; + _policyBuilder = new AuthorizationPolicyBuilder().RequireAuthenticatedUser(); + if (!requiredPermissionName.IsNullOrWhiteSpace()) { - return false; + _policyBuilder.Requirements.Add(new PermissionRequirement(requiredPermissionName)); } - if (_requiredPermissionName.IsNullOrEmpty()) + if (!requiredRoleNames.IsNullOrEmpty()) { - return true; + foreach (var roleName in requiredRoleNames!) + { + _policyBuilder.RequireRole(roleName); + } } - - return await IsPermissionGrantedAsync(context, _requiredPermissionName!); } - private static bool IsLoggedIn(DashboardContext context, bool enableTenant) + public virtual async Task AuthorizeAsync(DashboardContext context) { - var currentUser = context.GetHttpContext().RequestServices.GetRequiredService(); - - if (!enableTenant) + var currentTenant = context.GetHttpContext().RequestServices.GetRequiredService(); + if (currentTenant.IsAvailable && !_enableTenant) { - return currentUser.IsAuthenticated && !currentUser.TenantId.HasValue; + return false; } - return currentUser.IsAuthenticated; - } - - private static async Task IsPermissionGrantedAsync(DashboardContext context, string requiredPermissionName) - { - var permissionChecker = context.GetHttpContext().RequestServices.GetRequiredService(); - return await permissionChecker.IsGrantedAsync(requiredPermissionName); + var authorizationService = context.GetHttpContext().RequestServices.GetRequiredService(); + var authorizationPolicy = _policyBuilder.Build(); + return (await authorizationService.AuthorizeAsync(context.GetHttpContext().User, authorizationPolicy)).Succeeded; } }