note: this is just a sample senerio so I don't have any code to share. In a nut shell I want to restrict one user from editing another users data.
If I have a news website created in ABP It has Editors, Authors and Articles. Authors have a Boss an Editor so therefore the Authors table has an EditorID column. Articles are created by Authors and therefore have an AuthorID column.
I want the following permissions for the Articles. Author who created the article to be able to edit the article. Other Authors cannot edit other authors articles. Editors can edit Articles that are created by the Authors they manage. Everyone can view any Article.
How and where in the ABP.io framework can I set this code up? And when a user is denied access what should I return?
I have looked at the custom permission but I cannot see that it has the ability to restrict based on data in the DTO. For example what I need to do is compare who the user is and if the record they are attempting to edit (data in the DTO) belongs to them.