Open Closed

Production Issue - High Priority - Able to access the abp framework related API method without authorization #4332

User avatar
0
abpdeveloper@dbizsolution.com created
  • ABP Framework version: v4.4
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): Application template with separate identity server
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

No Authorize is set in the swagger, pls refer screenshot

Now try accessing the abp framework api which returns data even though authorise is not set

Example the https://localhost:44343/api/abp/multi-tenancy/tenants/by-name/SG method returns data even without authorise token set.

How to get this restricted

Go to accepted answer
1 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    This is by design, because we may switch tenants on the Login page, we need to get the basic information of tenants anonymously.

    https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore.Mvc.Contracts/Volo/Abp/AspNetCore/Mvc/MultiTenancy/IAbpTenantAppService.cs

Assignee
No one
Labels
None yet
Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.1.0-preview. Updated on November 04, 2025, 06:41