Persistent Roles

[GangsterGeek89]

Not sure if this already exists within piranha and ive just missed it somehow but I am currently working on a project that has a public login and register system. I want to be able to assign the user to a role when they register so I want to ensure that the role and required permissions are always set up similar to how 'SysAdmin' is setup in the seed of the IdentityDbContext.

Currently I have implemented this in a module I have created by creating an extension of the IDB interface from Piranha.AspNetCore.Identity

The permissions and policies have been setup in the same way the module template does.

public static IDb AddPublicRoles(this IDb db)
        {
            db.SaveChanges();

            // Make sure we have a PublicUser role
            var RoleName = "PublicUser";
            var role = db.Roles.FirstOrDefault(r => r.NormalizedName == RoleName.ToUpper());
            if (role == null)
            {
                role = new Role
                {
                    Id = Guid.NewGuid(),
                    Name = RoleName,
                    NormalizedName = RoleName.ToUpper()
                };
                db.Roles.Add(role);
            }

            // Get the User permissions in category Public
            var PublicPermissions = App.Permissions["User"].Where(p => p.Category.ToUpper() == "PUBLIC").ToList();

            // Make sure our PublicUser role has all of the available claims
            foreach (var permission in PublicPermissions)
            {
                var roleClaim = db.RoleClaims.FirstOrDefault(c =>
                    c.RoleId == role.Id && c.ClaimType == permission.Name && c.ClaimValue == permission.Name);
                if (roleClaim == null)
                {
                    db.RoleClaims.Add(new IdentityRoleClaim<Guid>
                    {
                        RoleId = role.Id,
                        ClaimType = permission.Name,
                        ClaimValue = permission.Name
                    });
                }
            }

            db.SaveChanges();

            return db;
        }

This is probably not the best way to implement it but what I come up with at the time using the source code as an example. Wondering if this is something worth adding as a piranha feature obviously in a more OOP manner?

[GangsterGeek89]

After a sleeping on this idea I have decided maybe I need to give a bit of a better overview of what my idea of this is

The idea of this is to be able to easily register a policy within piranha that is persistent in that it cant be deleted within the piranha roles manager section or it can be deleted but has a separate permission to do so.

Use Case

The project I am currently working on as stated above uses a front end login and register system and registered users are assigned a default role upon email confirmation. What I want to be able to achieve is to stop my client who will potentially be using the manager from being able to delete this role or others such as 'SysAdmin' as when these roles are delete the users assigned to these roles are removed from the role which makes sense but this could cause some problems if 'SysAdmin' is removed from the roles as you will loose backend access if no other role is configured for this and if my default role users are assigned on email confirmation is removed this could be a pain to go through and re-add all registered users back to this role especially with larger user sets. I know I could create a role with all permissions except the delete role permission but I still want to be able to allow them to create and delete roles as needed.

The way I currently have it set up as above with obviously still allow them to delete the role it just ensures its recreated. I am still currently trying to come up with a solution to fix this

[tidyui]

As the Identity module doesn't have any hooks or real extension points there's unfortunately no built in support for what you're trying to achieve. What I would do in your case is to override the views Areas/Manager/Views/Role/Edit.cshtml and Areas/Manager/Views/Role/List.cshtml. There you can make sure that managers can't delete the roles you don't want them to remove.

Note

When I say override I mean that you simply just place a .cshtml view in your local project in the same location as they are positioned in the modules. The local views will have precedence over the embedded ones.

Regards.

[GangsterGeek89]

Hi @tidyui thank you for your reply. I was thinking more along the lines of this being added in to piranha rather than having to override files in every project. I believe this to be of importance especially when it comes to the SysAdmin Role.

My idea was more along the lines of

namespace Piranha.AspNetCore.Identity.Data
{
    /// <summary>
    /// Application role.
    /// </summary>
    public sealed class Role : IdentityRole<Guid>
    {
        // Defaults to false
        public bool IsPersistent { get; set; } = false;
    }
}

Then within the permissions you could add say 'DeletePersistentRoles' Permission which obviously allows them to delete any role with IsPersistent = true

public static class Permissions
    {
        public const string Roles = "PiranhaRoles";
        public const string RolesAdd = "PiranhaRolesAdd";
        public const string RolesDelete = "PiranhaRolesDelete";
        // The permission
        public const string PersistentRolesDelete = "PiranhaPersistentRolesDelete";

        public const string RolesEdit = "PiranhaRolesEdit";
        public const string RolesSave = "PiranhaRolesSave";
        public const string Users = "PiranhaUsers";
        public const string UsersAdd = "PiranhaUsersAdd";
        public const string UsersDelete = "PiranhaUsersDelete";
        public const string UsersEdit = "PiranhaUsersEdit";
        public const string UsersSave = "PiranhaUsersSave";

        public static string[] All()
        {
            return new[]
            {
                Roles,
                RolesAdd,
                RolesDelete,
                PersistentRolesDelete,
                RolesEdit,
                RolesSave,
                Users,
                UsersAdd,
                UsersDelete,
                UsersEdit,
                UsersSave
            };
        }
    }

Then within the view Areas/Manager/Views/Role/List.cshtml

@if ((await Auth.AuthorizeAsync(User, Piranha.AspNetCore.Identity.Permissions.RolesDelete)).Succeeded &&
        (await Auth.AuthorizeAsync(User, Piranha.AspNetCore.Identity.Permissions.PersistentRolesDelete)).Succeeded)
  {
      <a class="danger" href="@Url.Action("Delete", new {id = role.Id})">
          <span class="fas fa-trash"></span>
      </a>
  }

This way the view would not have to be overridden and provides to some of the box control over what roles can be deleted and provides some reassurance to developers that their clients wont be able to remove the 'SysAdmin' role and cause them a serious headache lol

I am familiar with overriding views etc but I have tried previously to make changes to one of the manager views and I seem to get some errors about vue components not being registered globally, not 100% sure what the errors was now as it was a few weeks ago.

Not sure if I missing something in your reply but hopefully this helps shine a little light on what my overall idea was

and thanks again for your reply and all your hard work