Open Closed

Missing Authorize attribute within the IdentityUserAppService GetAvailableOrganizationUnitsAsync method! #706


User avatar
0
michael.sudnik created
  • ABP Framework version: v4.0.1
  • UI type: MVC
  • DB provider: MongoDB
  • Tiered (MVC) or Identity Server Seperated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:

There is no authorize attribute on the IdentityUserAppService.GetAvailableOrganizationUnitsAsync() method, which would allow any unauthenticated user to discover the OU structure!

Maybe there are also other cases where this has been missed?

(p.s. Great to see the DB provider field in the new question template!)


1 Answer(s)
  • User Avatar
    0
    yekalkan created
    Support Team Fullstack Developer

    Hi @michael.sudnik,

    You are right. That method should request a permission.

    This issue will be fixed in 4.1.0 release.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09