-
ABP Framework version: v4.0.0
-
UI type: Angular
-
DB provider: EF Core
-
Tiered (MVC) or Identity Server Separated (Angular): yes
-
Steps to reproduce the issue:
When i granted a permission to the host admin user, the tenant admin users can also acces the granted appservice method.
[Authorize(QueryPermissions.QueryManagement_ExportImport)]
public async Task<IActionResult> Export()
but when i remove all the permissions including host admin, then the method is returing 403 as excepected.
but this method can be accessible by tenant admins when i remove de tenant admins permissions, but host has permission.
8 Answer(s)
-
0
hi
Can you share the steps and code to repro your problem?
-
0
Permission Definition:
queryManagement.AddChild(QueryPermissions.QueryManagement_ExportImport, localizationHelper.L("Permission:QueryManagement:ExportImport"));AppService Method Authorization
[Authorize(QueryPermissions.QueryManagement_ExportImport)]
public async Task<IActionResult> Export()Steps to repro:
-
Add one or more tenants
-
Give the permission to host , and remove from the tenant
-
Get token with tenant admin and make request to the Export method and get 200 result code ( this must be 403 but returns 200)
-
Remove the permission from host admin, get new token with tenant admin and make request to Export method and get 403 result code
As a result, when permission is granted to the host admin, all tenant admins without permission access the resource
-
-
0
hi
Get token with tenant admin and make request to the Export method and get 200 result code ( this must be 403 but returns 200)
Can you check your token claims on https://jwt.io/ ?
-
0
Host admin token
{
"nbf": 1620373769,
"exp": 1651909769,
"iss": "/ca-identity",
"aud": "CA",
"client_id": "CA_App",
"sub": "c078ca72-4869-5383-7919-39fb0586c555",
"auth_time": 1620373762,
"idp": "local",
"role": "admin",
"phone_number_verified": "False",
"email": "admin@abp.io",
"email_verified": "False",
"name": "admin",
"sid": "2772ED5FA9773ADB01C8DCDF6B6E44D2",
"iat": 1620373769,
"scope": [
"openid",
"CA",
"offline_access"
],
"amr": [
"pwd"
]
}Tenant admin token
{
"nbf": 1620373904,
"exp": 1651909904,
"iss": "/ca-identity",
"aud": "CA",
"client_id": "CA_App",
"sub": "1f1207be-c392-3215-258e-39fb05868f66",
"auth_time": 1620373896,
"idp": "local",
"tenantid": "0748e09a-d518-92fb-df3a-39fb058627cc",
"role": "admin",
"phone_number_verified": "False",
"email": "admin@default-tenant.com",
"email_verified": "False",
"name": "admin",
"sid": "AB62428E55B0BFB174AFD6FB1B8DBDCE",
"iat": 1620373904,
"scope": [
"openid",
"CA",
"offline_access"
],
"amr": [
"pwd"
]
}is there a problem?
when host admin has the permission the tenant token also making request and getting 200, but when i remove the permission from host admin role than bot tokens getting 403 -
0
hi
I haven't reproduced your problem, I think you may have used the wrong token.
Can you share a simple demo project? liming.ma@volosoft.com
-
0
Hi, i am sure using correct tokens, which i sent you the claims
-
0
hi
Can you share a simple demo project to reproduce this problem? liming.ma@volosoft.com
-
0
This question has been automatically marked as stale because it has not had recent activity.
