Hello, We're using abp's default feature module. For every custom module that we developed, we're creating a class derived from FeatureDefinitionProvider and defining our features . When we run the application, it seems these features are written into our Redis cache and into db . We'll be installing our application with modules (some of them disabled some of them enabled by default) as on-premise. But we realized something. If we go to redis and edit features' values manually then we able to see the hidden modules . Is that a bug for on-premise system or do you have any suggestions about that topic ? Because in that case, even if we close some of the features , customers still can go into redis and change default variables and enable hidden features easily. What should we do in that case, how can we prevent this behavior ? Thank you .
- ABP Framework version: v7.3.1
- UI Type: MVC
- Database System: EF Core (SQL Server, )
- Tiered (for MVC) or Auth Server Separated (for Angular): yes/no
- Exception message and full stack trace:
- Steps to reproduce the issue:
3 Answer(s)
-
0
If we go to redis and edit features' values manually then we able to see the hidden modules .
No, it's not a bug. you should use a remote Redis server instead of a local.
If everything is installed locally on the client, even without Redis, the customers can change the database directly, right?
-
0
But abp should support both on-premise and cloud deployments, right ? Besides like you said, even without redis customers still change these features via db and this is a problem for also cloud installations. I think we need a solution something like => not persisting these features to anywhere (just runtime). We need to solve this issue it can be a big problem when you sell your product to customers . In someway this feature enabling/disabling thing via redis or db should be prevented ! What can we do at that point, which class should we override FeatureManagementProvider or IFeatureManagementStore ?
-
0
Hi,
If the database server and Redis server are installed on the client, the client can change almost everything. This is not only a problem with ABP but with all software, isn’t it?
I think we need a solution something like => not persisting these features to anywhere (just runtime).
This is a possible solution, you can replace the
IFeatureManagementStoreservice to get feature value from memory: https://github.com/abpframework/abp/blob/dev/modules/feature-management/src/Volo.Abp.FeatureManagement.Domain/Volo/Abp/FeatureManagement/FeatureManagementStore.cs- Configure the feature value to memory before on-premise
- Always get the feature value from memory
