Activities of "auxo-devsu"

• ABP Framework version: v8.0.0
• UI Type: Angular / MVC / Blazor WASM / Blazor Server
• Database System: EF Core (SQL Server)

I'm struggling to get around how to manage permissions, permissions no longer used and permissions per role.

1. I would like to delete the permission groups above. What are the options I have for doing that?
2. I would like to define the permissions of a given role. What are the options I have for doing that?
3. How do I ensure that new tenants being created always get the latest set of default permissions for the application?
4. Can I disable the out-of-the-box admin role?

Thanks!

That sounds good! Thank you!

• ABP Framework version: v8.0.0
• UI Type: MVC
• Database System: EF Core (SQL Server)
• Tiered (for MVC) or Auth Server Separated (for Angular): separated

Hi,

Over the last 11 months, we've been using ABP, and we are happy about it. However, I have been ignoring some key security alerts emitted by GitHub Dependabot and I'd like to know if the ABP team is currently using something along the lines and, also, when there will be an update to the following vulnerabilities:

HIGH

• uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) via IPv4-mapped IPv6 addresses.
  • @volo/account@8.0.0 requires uppy@^1.16.1 via @abp/uppy@8.0.0.
  • Patched version is 2.3.3
• This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
  • @volo/abp.aspnetcore.mvc.ui.theme.leptonx@3.0.0 requires glob-parent@^3.1.0 via a transitive dependency on chokidar@2.1.8 @volo/account@8.0.0 requires glob-parent@^3.1.0 via a transitive dependency on chokidar@2.1.8 @volo/abp.aspnetcore.mvc.ui.theme.leptonx@3.0.0 requires glob-parent@^3.1.0 via a transitive dependency on glob-stream@6.1.0 @volo/account@8.0.0 requires glob-parent@^3.1.0 via a transitive dependency on glob-stream@6.1.0
  • Patched version is 5.1.2

MEDIUM

• ReDoS in Sec-Websocket-Protocol header - A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.
  • @volo/account@8.0.0 requires ws@~6.1.0 via a transitive dependency on engine.io-client@3.3.3
  • The earliest fixed version is 6.2.2.

LOW

• sweetalert2 v11.6.14 and above contains potentially undesirable behavior - sweetalert2 versions 11.6.14 and above have potentially undesirable behavior. The package outputs audio and/or video messages that do not pertain to the functionality of the package when run on specific tlds. This functionality is documented on the project's readme

Please, let me know how I can ensure my apps are up-to-date and compliant with the latest security standards. Thanks!

Amazing! That works! Thanks.

• ABP Framework version: v8.0.0
• Database System: EF Core (SQL Server)
• Tiered (for MVC) or Auth Server Separated (for Angular): Tiered
• Exception message and full stack trace:
• Steps to reproduce the issue:

I'm using background jobs to perform certain tasks. One of them is to create tenants based on our requirements.

The issue I'm dealing with is authorising my processes to use **IEditionAppService **and ITenantAppService, which require certain policies ("Saas.Editions" and "Saas.Tenants")

Given that my process is initiated in the background, obviously it is not authenticated when trying to call those endpoints resulting in Abp Auth Exception.

Question: What's the best way for me to bypass the need for authorisation on those services or for me to call them as if they could "allow anonymous"? Using context.Services.AddAlwaysAllowAuthorization(); is not an option unless we could do it just in the context of the background jobs.

If possible, provide me with examples on how I can elevate the privileges of my background processes to run as 'admin'.

Thanks!

I managed on my own.

• ABP Framework version: v8.0.0
• UI Type: MVC
• Database System: EF Core (SQL Server)
• Tiered (for MVC) or Auth Server Separated (for Angular): Auth Server separated

Hi,

Where does ABP store Tenant Feature Settings & Edition Feature Settings?

I'm considering adding some defaults as part of the EF Migration.

Thanks

• ABP Framework version: v8.0.0
• UI Type: MVC / Blazor WASM / Blazor Server
• Database System: EF Core (SQL Server)
• Tiered (for MVC) or Auth Server Separated (for Angular): tiered, auth server separated

Hi,

I'm having a hard time trying to migrate to .NET 8 using the tutorials on the ABP from the website such as https://docs.abp.io/en/abp/8.0/Migration-Guides/Abp-8_0 and https://blog.abp.io/abp/announcing-abp-8-0-release-candidate

I noticed there are no v8.0.0 (not even in the release candidate versions) for the packages 'Volo.Abp.Account.Pro.*. Are they in the process of being migrated to .NET8? What to do with them in the meantime?

Thanks

Thanks for the link! I had seen that bit already.

Authenticating with Auth0 will be fine, I'm sure. Still, I'm looking for guidance on how to use a 3rd party but also continue to leverage ABP's authorisation bits like permissions, roles, current tenant identification and all that.

Could you please help me with that? What are the things that will break into ABPs authorisation system when I decide to not use the out-of-the-box auth server? What are the things to be replaced/re-written/extended?

Thanks @maliming!

Would you have any examples of how to replace AddOpenIdConnect? If I manage to replace that with Auth0, do I still have to keep the ABP's Identity Server alive?