Activities of "mkinc"

• ABP Framework version: Replicable on ABP commercial demo on 14/8/23: ABP v7.4.0. Updated on 2023-08-02 12:30 . Angular Version v16.0.6
• UI Type: Angular
• Database System: Unknown
• Tiered (for MVC) or Auth Server Separated (for Angular): Unknown
• Steps to reproduce the issue:
  • Log in as admin
  • Create a new user 'test1'
  • Logout
  • Login as test1
  • Set up 2FA authenticator app and enable 2FA
  • Logout
  • Login as test1 and confirm 2FA works as expected (without checking remember browser)
  • Logout
  • Login as admin
  • Edit test1 user to enable 'Should change password on next login'
  • Logout
  • In login page, enter credentials for test1 user
• Expected behaviour: Before asking for a new password, 2FA should be completed.
• Actual behaviour:
  • I am asked for current password, new password, new password (repeat) and after submitting that I can login without any 2FA.
  • In order to confirm 2FA is still forced, logout, login again and you will be correctly be asked for 2FA
• This is a critical security bug where 2FA can be bypassed even if the 2FA is forced.

Please let us know when this will be fixed + refund the question. Cheers.

Bug raised here https://support.abp.io/QA/Questions/5126/Bug---Should-change-password-on-next-login-should-enforce-password-to-be-different should have been fixed in 'the preview version for 7.3' but the issue is replicable both in v7.3.2 and the ABP commercial v7.4.0 as of 14/8/23.

• ABP Framework version: Replicable on ABP commercial demo on 14/8/23: ABP v7.4.0. Updated on 2023-08-02 12:30 . Angular Version v16.0.6
• UI Type: Angular
• Database System: Unknown
• Tiered (for MVC) or Auth Server Separated (for Angular): Unknown

Please let us know when this will be fixed + refund the question. Cheers.

• ABP Framework version: Replicable on ABP commercial demo on 14/8/23: ABP v7.4.0. Updated on 2023-08-02 12:30 . Angular Version v16.0.6
• UI Type: Angular
• Database System: Unknown
• Tiered (for MVC) or Auth Server Separated (for Angular): Unknown
• Background issue: https://support.abp.io/QA/Questions/5132/Bugs---Various-issues-with-user-filtering
  • In this question some bugs were identified and should have been fixed. Most have been fixed, except this one (https://support.abp.io/QA/Questions/5582/Bug-Filtering-users-by-Modification-date-does-not-work). But also it now highlights the below issue.
• Steps to reproduce the issue:
  • Login as admin
  • Go to Administration -> Identity Management -> Users (observe ALL users shown)
  • Open the Advanced Filters expandable.
  • Select the 'Role' as 'admin'
  • Check 'Email confirmed'
  • Click 'Refresh' (observe only admins with emails confirmed are displayed)
  • Uncheck 'Email confirmed'
  • Click 'Refresh' (observe only admins with emails NOT confirmed are displayed)
• Expected behaviour
  • 1. The state of filtering is completely encompassed in the filter options that are shown.
  • 2. There is a way to no longer filter 'Email confirmed', while keeping the 'Role' filter.
• Actual behaviour
  • 1. The UI looks the same when filtering by NOT 'Email confirmed' as it does when not filtering by 'Email confirmed'. The UI does not uniquely identify the filtering that is to be applied which is very confusing as a user.
  • 2. There is no way to set the 'Email confirmed' filtering to be off without losing all other filters.
• Other issues:
  • The same is replicable for all checkbox filters.
  • Thought needs to go into whether there are other cases of this in ABP tables.
• Proposed solution: The checkbox is replaced with a dropdown that has three options: '' (the no filtering option which is already present with Roles and other fields), 'True', 'False'.

Please let us know when this will be fixed + refund the question. Cheers.

• ABP Framework version: Replicable on ABP commercial demo on 14/8/23: ABP v7.4.0. Updated on 2023-08-02 12:30 . Angular Version v16.0.6
• UI Type: Angular
• Database System: Unknown
• Tiered (for MVC) or Auth Server Separated (for Angular): Unknown
• Background issue: https://support.abp.io/QA/Questions/5132/Bugs---Various-issues-with-user-filtering
  • In this question some bugs were identified and should have been fixed. Most have been fixed, but one has not been fixed.
• Steps to reproduce the issue:
  • Login as admin
  • Go to Administration -> Identity Management -> Users
  • Open the Advanced Filters expandable.
  • Set the modified date to a single date, or a range of dates, for which you know there are no modifications (e.g. a date in the future).
• Expected behaviour: No users are shown.
• Actual behaviour: All users are shown.
• Note the filtering does work for creation date, but not for modification date.

Please let us know when this will be fixed + refund the question. Cheers.

• ABP Framework version: v7.2.1
• UI type: Angular
• DB provider: EF Core
• Tiered (MVC) or Identity Server Separated (Angular): Separated OpenIdDict auth server
• Exception message and stack trace:
• Steps to reproduce the issue:
  • Log in as host admin
  • Create a user with username abc and email john.smith@example.com
  • Create another user with username john.smith@example.com and email john.smith2@example.com
• Expected behaviour: Error when creating user to say a user already exists with email 'john.smith@example.com'.
• Actual behaviour: User is created successfully, but the first user with username abc can now no longer log into their account using their email address.

Similar checks need to be made when attempting to change either username or password since no username should be identical with another user's email address (and vice versa). However it should be maintained that the username and email address of an individual user should be able to be the same. Please refund the question. Thanks.

• ABP Framework version: v7.2.1
• UI type: Angular
• DB provider: EF Core
• Tiered (MVC) or Identity Server Separated (Angular): OpenIdDict separate auth server
• Exception message and stack trace:
• Steps to reproduce the issue:
  • Log in as host admin
  • Create user
  • Login as the new user
  • In My account -> Personal info, click Verify next to email.
  • Logout of user
  • Click the link in the email
  • [Observe email has been confirmed which can later be verified in the front end for that user]
  • Click 'Log in to application'
• Expected behaviour: Goes to login page
• Actual behaviour: 404 page not found error. The link is to the base of the front end app (e.g. in dev for us it's https://admin.localhost:44388/) but this by itself isn't a valid url. It needs to be https://admin.localhost:44388/Account/Login with all the url params that you'd normally get if you navigated to the login page from the main app 'Login' button

Potential solutions:

• [Best solution?] Make sure the route of the auth server front end application routes to the login page or something?
• In EmailConfirmationModel make sure the ReturnUrl is set to the _appUrlProvider.GetUrlAsync("Angular") (e.g. for us that would be something like admin.localhost:4200)

Thanks.

• ABP Framework version: v7.3.0 - replicable on ABP demo on 24th May 2023.
• UI type: Angular
• DB provider: Unknown
• Tiered (MVC) or Identity Server Separated (Angular): Unknown
• Steps to reproduce the issue:
  • Login as admin
  • Navigate to Administration -> Identity Management -> Users
    • Observe all users shown in table.
  • Show the Advanced filters
  • Set 'Email confirmed' to on and click 'Refresh'
    • Observe no users correctly displayed
  • Set 'Email confirmed' to off and click 'Refresh'
• Expected behaviour: All users shown again.
• Actual behaviour: No users shown (and not even 'No data available' label)
• Further issues:
  • Same is replicable when using 'Is external'.
  • Issue not rectified when clicking 'Clear'.
  • Filtering by Creation date or Modified date does not appear to work at all (all users always displayed regardless of what creation date or Modified date range is used).

• ABP Framework version: v7.2.1
• UI type: Angular
• DB provider: EF Core
• Tiered (MVC) or Identity Server Separated (Angular): Separated AuthServer
• Steps to reproduce the issue:
  • Create user, enabling the 'Should change password on next login'.
  • Login as user
  • When prompted for new password, use the original password for current, new and new (repeat)
• Expected behaviour: Error on submit / validation error that doesn't allow submit.
• Actual behaviour: Password is allowed and user is logged in.

I can't really see any justification to suggest this isn't a bug since forcing a user to change password on next login is something used for security. Untested: Does this affect the 'Force users to periodically change password' feature as well?

• ABP Framework version: v7.1
• UI type: Angular
• DB provider: EF Core
• Tiered (MVC) or Identity Server Separated (Angular): Identity server separated

Is there any out of the box solution for any of the following:

Option A:

1. Admin creates user under a specific tenancy (optionally with user changes password on login)
2. User is emailed to say an account is created for them including their password.

Option B:

1. Admin creates user under a specific tenancy (optionally with user changes password on login)
2. Admin can click a button to invite that user to login to the system.

Option C:

1. Admin sets up an email address domain for which users can create accounts.
2. User can self register. If the email address domain used matches a domain relating to a tenant, it allows the registration, otherwise it does not allow the registration.

I did think the flow could be that the user is given a link to the 'Forgot password' page and goes through that flow, but this isn't very professional in my opinion. It seems strange that the out of the box solution is that anybody can create a user under any tenancy.

Thanks!