I have a empty servicestack project that makes use of ValidationRule table, and uses Auth Repository. I have done the tests with and without UseDistinctRoleTables.
I have 4 users created in the Configure.AuthRepository.cs at startup with Roles.
When I route to https://localhost:5001/admin-ui/users?edit=1, the Roles dropdown does not show and I am unable to add more roles. After I delete the role, I can add new roles but only Admin appear in the dropdown.
This seems to be bugs in admin-ui. Furthermore, If I put an entry in the ValidationRule table with HasRoles([Role1,Role2,Role3]) etc… these roles are also not picked up.
Where would I add a list of all Roles available in the system so that it appears in the admin-ui dropdowns (for edit and creating users).
Also, what would happen if I have no roles set up (so users are without roles) but we have HasRoles in the validation rule table. Will ServiceStack pick up Roles as defined in the Validation Rule Table or only roles in the AppUser Table or of there is a seperate UserAuthRole Table, will it pick it up from there? I don’t think the documentation on this is clear and there should be an easy way to define available roles that will appear in Admin-ui
Your roles need to be statically defined in your code-base, i.e. by using [ValidateHasRole] or [RequiredRole] attributes which I’m not seeing in the code-base anywhere.
I am trying to make whether roles are required on not on a service totally user defined, except for admin specific roles. That is why I am using ValidationRule table so Roles and permissions can be defined dynamically ?
ServiceStack only scans the code-base to workout the list of available roles on Startup, it does not try to scan external deps for them.
Easiest solution would be to create dummy API which lists all the roles you want to make available, e.g:
[RequiresAnyRole("TheRole", "TheRole2")]
[Restrict(VisibilityTo = RequestAttributes.None)]
class DummyRequest {}
class DummService : Service {
public object Any(DummyRequest request) => request;
}
You should also be able to add them by dynamically changing the AppMetadata to include them, e.g:
appHost.AddToAppMetadata(meta =>
{
// If using Identity Auth
meta.Plugins.AdminIdentityUsers.AllRoles.AddRange([
"TheRole",
"TheRole2",
]);
// If using ServiceStack Auth
meta.Plugins.AdminUsers.AllRoles.AddRange([
"TheRole",
"TheRole2",
]);
});
So once that is done, if I set permissions and roles in ValidationRule table, it will work correctly. What would I use in ValidationRule if a user in any of the following roles (TheRole, TheRole2) can have access to Hello endpoint for e.g.
I have the AdminUsersFeature() added, but when I execute
meta.Plugins.AdminUsers.AllRoles.AddRange([
“TheRole”,
“TheRole2”,
]); I get an Error that AdminUsers are null.
So can I Add many records into the ValidationRule table with HasRole(TheRole)
and then another record for
HasRole(TheRole2).
Will it be possible to add HasAnyRoles. I think there is a use case for saying only users in the Banker, BankSupport and BankAdmin can access a specific endpoint. Alternatively i we can add many HasRole in ValidationRule table, it would work.
I have done some more testing, and it does not seem to work. Admin-ui allow me to add a number of HasRole records, but when I set two roles, it does not work. Also, when I add the actual Attributes to my Hello Endpoint
