Permission given to host admin affects tenant admins #1245 | Support

safak.bal created 3 years ago

ABP Framework version: v4.0.0
UI type: Angular
DB provider: EF Core
Tiered (MVC) or Identity Server Separated (Angular): yes
Steps to reproduce the issue:

When i granted a permission to the host admin user, the tenant admin users can also acces the granted appservice method.

[Authorize(QueryPermissions.QueryManagement_ExportImport)] public async Task<IActionResult> Export()

but when i remove all the permissions including host admin, then the method is returing 403 as excepected. but this method can be accessible by tenant admins when i remove de tenant admins permissions, but host has permission.

8 Answer(s)

0

maliming created 3 years ago
Support Team Fullstack Developer

hi

Can you share the steps and code to repro your problem?
0
safak.bal created 3 years ago
Permission Definition: queryManagement.AddChild(QueryPermissions.QueryManagement_ExportImport, localizationHelper.L("Permission:QueryManagement:ExportImport"));

AppService Method Authorization [Authorize(QueryPermissions.QueryManagement_ExportImport)] public async Task<IActionResult> Export()

Steps to repro:

Add one or more tenants

Give the permission to host , and remove from the tenant

Get token with tenant admin and make request to the Export method and get 200 result code ( this must be 403 but returns 200)

Remove the permission from host admin, get new token with tenant admin and make request to Export method and get 403 result code

As a result, when permission is granted to the host admin, all tenant admins without permission access the resource
0

maliming created 3 years ago
Support Team Fullstack Developer

hi

Get token with tenant admin and make request to the Export method and get 200 result code ( this must be 403 but returns 200)

Can you check your token claims on https://jwt.io/ ?
0

safak.bal created 3 years ago

Host admin token { "nbf": 1620373769, "exp": 1651909769, "iss": "/ca-identity", "aud": "CA", "client_id": "CA_App", "sub": "c078ca72-4869-5383-7919-39fb0586c555", "auth_time": 1620373762, "idp": "local", "role": "admin", "phone_number_verified": "False", "email": "admin@abp.io", "email_verified": "False", "name": "admin", "sid": "2772ED5FA9773ADB01C8DCDF6B6E44D2", "iat": 1620373769, "scope": [ "openid", "CA", "offline_access" ], "amr": [ "pwd" ] }

Tenant admin token

{ "nbf": 1620373904, "exp": 1651909904, "iss": "/ca-identity", "aud": "CA", "client_id": "CA_App", "sub": "1f1207be-c392-3215-258e-39fb05868f66", "auth_time": 1620373896, "idp": "local", "tenantid": "0748e09a-d518-92fb-df3a-39fb058627cc", "role": "admin", "phone_number_verified": "False", "email": "admin@default-tenant.com", "email_verified": "False", "name": "admin", "sid": "AB62428E55B0BFB174AFD6FB1B8DBDCE", "iat": 1620373904, "scope": [ "openid", "CA", "offline_access" ], "amr": [ "pwd" ] }

is there a problem? when host admin has the permission the tenant token also making request and getting 200, but when i remove the permission from host admin role than bot tokens getting 403
0

maliming created 3 years ago
Support Team Fullstack Developer

hi

I haven't reproduced your problem, I think you may have used the wrong token.

Can you share a simple demo project? liming.ma@volosoft.com
0

safak.bal created 3 years ago

Hi, i am sure using correct tokens, which i sent you the claims
0

maliming created 3 years ago
Support Team Fullstack Developer

hi

Can you share a simple demo project to reproduce this problem? liming.ma@volosoft.com
0

ServiceBot created 3 years ago
Support Team Automatic process manager

This question has been automatically marked as stale because it has not had recent activity.

Have an answer to this question? Log in and write your answer.