Activities of "Karthigeyan"

Are the abp doing any kind of validation, like only specific format are allowed to upload the image

There is no format validation in the API endpoint, but only certain types of files are allowed to be selected from the UI.

also do abp check the file is valid/secured to proceed to store in the blob.

There is no such validation, I am not sure if it is necessary. Because, for example, if a user uploads an invalid image, it only affects them. We know that this does not affect other users or cause any securrity vulnerability.

Here are the impelemtation of SetProfilePictureAsync:

   [Authorize] 
    public virtual async Task SetProfilePictureAsync(ProfilePictureInput input) 
    { 
        await SettingManager.SetForUserAsync(CurrentUser.GetId(), AccountSettingNames.ProfilePictureSource, input.Type.ToString()); 
 
        var userIdText = CurrentUser.GetId().ToString(); 
 
        if (input.Type != ProfilePictureType.Image) 
        { 
            if (await AccountProfilePictureContainer.ExistsAsync(userIdText)) 
            { 
                await AccountProfilePictureContainer.DeleteAsync(userIdText); 
            } 
        } 
        else 
        { 
            if (input.ImageContent == null) 
            { 
                throw new NoImageProvidedException(); 
            } 
 
            var imageStream = input.ImageContent.GetStream(); 
 
            if (ProfilePictureOptions.Value.EnableImageCompression) 
            { 
                try 
                { 
                    var compressResult = await ImageCompressor.CompressAsync(imageStream); 
 
                    if (compressResult.Result is not null && imageStream != compressResult.Result && compressResult.Result.CanRead) 
                    { 
                        await imageStream.DisposeAsync(); 
                        imageStream = compressResult.Result; 
                    } 
                } 
                catch (Exception e) 
                { 
                    Logger.LogWarning(e, "Profile picture compression failed! User ID:" + CurrentUser.GetId()); 
                } 
            } 
 
            await AccountProfilePictureContainer.SaveAsync(userIdText, imageStream, true); 
        } 
    } 

Hi berkansasmaz,

We have tested one scenario, where we will intercept the backend request and they are changing the file content from image to some other file like .aspx or any malware content. Will it still be able to block it.

Thanks

Hi Team,

In the application we have multiple components at UI level and respective API/app services (where the services can be restricted at the permission level). But we are looking for solution/approach where the permission/feature where it can be applied at the login time of the user and based on that it can be restrict to the specific components.

Thanks

Hi, While uploading the image for the user at "Profile Picture" abp uses the inbuild service "SetProfilePictureAsync" (api: api/account/profile-picture), need some information on below,

1. Are the abp doing any kind of validation, like only specific format are allowed to upload the image
2. also do abp check the file is valid/secured to proceed to store in the blob.

Thanks

• ABP Framework version: v8.3
• UI Type: Angular
• Database System: PostgreSQL
• Tiered (for MVC) or Auth Server Separated (for Angular): yes

Hi Team,

Currently, we are generating the access token to call other microservices from one microservice. Is there any way where we can pass the token with current session or from the current request of microservice and use it to call other microservice.

Maybe you didn't add the openid management UI to your project. https://abp.io/docs/latest/release-info/migration-guides/openiddict-step-by-step#ui-layer

Also it will be helpful if you can share the screenshot of the host admin login and which feature/permission needs to be enabled to view the 'OpenIddict' menu (hope it will be under the Identity Management menu) under the Identity management (the menu which is under Administration). Because these are built in feature/permission the Abp provided (like Claim types, Security logs).

For example: The Identity management -> Roles used the below, Permission: AbpIdentity.Users Router Link: identity-users

It would be helpful, for the OpenIddict menu which permission needs to be enabled or do we need to add those menu in the UI with respective router link

Maybe you didn't add the openid management UI to your project. https://abp.io/docs/latest/release-info/migration-guides/openiddict-step-by-step#ui-layer

In our application we are using the "OpenIDConnectAuthentication" authentication, will this affect the openIddict or do we need to replace the "OpenIDConnectAuthentication" with OpenIddict

Could you share the full logs? thanks.

I dont see any errors. Only thing is we were not able to view the OpenIddict option/menu in the host admin login. Could you please share your thoughts on what could be the possible reasons for that

How do I reproduce the problem?

BTW, openid management only visible to the Host users.

Right, it will be visible for Host users (in our case its not visible). Post the upgrade of ABP 6/7 version, it is been missing in the Host menu. We made the changes as per the guidelines of the migration of OpenIddict.

yes, you need to assign openid management permissions to users/roles

okay, Are you taking about the below permission enablement Even after enabling the above options, I was not able to view it. Could you please provide information where I can find the option once it is enabled

Thank you

Him

OpenIddict is unavailable in Live Demo, you can create a new project to check it.

Hi,

Do we need to enable any features/permissions to view the OpenIddict option in the Host environment?