Open Closed

Production Issue - High Priority - Able to access the abp framework related API method without authorization #4332


User avatar
0
abpdeveloper@dbizsolution.com created
  • ABP Framework version: v4.4
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): Application template with separate identity server
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

No Authorize is set in the swagger, pls refer screenshot

Now try accessing the abp framework api which returns data even though authorise is not set

Example the https://localhost:44343/api/abp/multi-tenancy/tenants/by-name/SG method returns data even without authorise token set.

How to get this restricted


1 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    This is by design, because we may switch tenants on the Login page, we need to get the basic information of tenants anonymously.

    https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore.Mvc.Contracts/Volo/Abp/AspNetCore/Mvc/MultiTenancy/IAbpTenantAppService.cs

Made with ❤️ on ABP v9.1.0-preview. Updated on December 05, 2024, 12:19