[IMPLEMENTED] "Hide Schemas" and other Role Properties using custom claims based authentication

slalFe · August 15, 2022, 12:32pm

I have…

[x] Read the following guideline: https://docs.squidex.io/01-getting-started/installation/troubleshooting-and-support. I understand that my support request might get deleted if I do not follow the guideline.

I’m submitting a…

[ ] Regression (a behavior that stopped working in a new release)
[ ] Bug report
[ ] Performance issue
[x] Documentation issue or request

Current behavior

When adding permissions for a user at the site level it is not possible to specify the other properties around hiding areas of the UI for certain Roles, for example ‘Hide Schemas’.

Expected behavior

I should be able to specify that I do not want them to show using permissions at the site level, for example: “squidex.apps.{app}.assets.view”. I didn’t raise a feature request as I do not know for sure whether this is currently possible or not!

Minimal reproduction of the problem

Environment

App Name: n/a

[x] Self hosted with docker
[ ] Self hosted with IIS
[ ] Self hosted with other version
[ ] Cloud version

Version: 6.9.0

Browser:

[x] Chrome (desktop)
[ ] Chrome (Android)
[ ] Chrome (iOS)
[ ] Firefox
[ ] Safari (desktop)
[ ] Safari (iOS)
[ ] IE
[ ] Edge

Others:
Apologies if you’ve been asked this before, feel like I might have seen answer around this in another support ticket but I cannot find it if so.

As it isn’t listed in
https://github.com/Squidex/squidex/blob/master/backend/src/Squidex.Shared/Permissions.cs I am assuming it is handled separately to claims?

At the moment the current plan is to somehow assign a user to a Role for an app when they log in using our custom authentication application but that seems dodgy especially when it’s just so we can make use of this functionality.

Sebastian · August 15, 2022, 3:11pm

It is not possible at the moment.

The role properties are just an anonymous object that is maintained by the UI for the UI. The backend does not care what the UI adds to this object.

So basically we could introduce a special notation for these claims and then you can override everything using claims.

The relevant code is this:

github.com

Squidex/squidex/blob/master/backend/src/Squidex/Areas/Api/Controllers/Apps/Models/AppDto.cs#L113


    isContributor = true;

    result.RoleName = roleName;
    result.RoleProperties = role.Properties;
    result.Permissions = permissions.ToIds();

    permissions = role.Permissions;
}
else if (app.Clients.TryGetValue(userId, out var client) && app.Roles.TryGet(app.Name, client.Role, isFrontend, out role))
{
    result.RoleName = roleName;
    result.RoleProperties = role.Properties;
    result.Permissions = permissions.ToIds();

    permissions = role.Permissions;
}
else
{
    result.RoleProperties = new JsonObject();
}

So what I meant, we could add something like this

// Pseudo code
const string Prefix = "urn:squidex.ui.";

for (var claim of User.Claims.Where(x => x.Key.StartWith(Prefix))
{
   result.RoleProperties[claim.Key.Substring(Prefix.Length)] = claim.Value;
}

slalFe · August 16, 2022, 8:05am

Ah I was looking at that yesterday so glad to hear I was looking in the right place!

That does sound promising and relatively simple, I will see if this is how we definitely want to go about things and whether I am OK to potentially work on it myself.

Am I right in saying a new feature like this would be part of version 7.x and not retrofitted to 6.x? We have not yet made the move to 7.x but this would give us a big drive to move to it, as if removing Orleans and all the warning and error logs we get from it wasn’t beneficial enough!

Sebastian · August 16, 2022, 8:08am

Yes, it is part of the 7.x branch.

slalFe · August 16, 2022, 8:09am

oh you’ve already done it! Thanks so much, will test it out asap!

system · August 18, 2022, 8:08am

This topic was automatically closed after 2 days. New replies are no longer allowed.