0
michael.sudnik created
- ABP Framework version: v4.0.1
- UI type: MVC
- DB provider: MongoDB
- Tiered (MVC) or Identity Server Seperated (Angular): yes
- Exception message and stack trace:
- Steps to reproduce the issue:
There is no authorize attribute on the IdentityUserAppService.GetAvailableOrganizationUnitsAsync() method, which would allow any unauthenticated user to discover the OU structure!
Maybe there are also other cases where this has been missed?
(p.s. Great to see the DB provider field in the new question template!)
1 Answer(s)
-
0
Hi @michael.sudnik,
You are right. That method should request a permission.
This issue will be fixed in 4.1.0 release.
