Open Closed

Permission given to host admin affects tenant admins #1245


0
safak.bal created
  • ABP Framework version: v4.0.0
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Steps to reproduce the issue:

When i granted a permission to the host admin user, the tenant admin users can also acces the granted appservice method.

[Authorize(QueryPermissions.QueryManagement_ExportImport)] public async Task<IActionResult> Export()

but when i remove all the permissions including host admin, then the method is returing 403 as excepected. but this method can be accessible by tenant admins when i remove de tenant admins permissions, but host has permission.


7 Answer(s)
  • 0
    maliming created
    Support Team

    hi

    Can you share the steps and code to repro your problem?

  • 0
    safak.bal created

    Permission Definition: queryManagement.AddChild(QueryPermissions.QueryManagement_ExportImport, localizationHelper.L("Permission:QueryManagement:ExportImport"));

    AppService Method Authorization [Authorize(QueryPermissions.QueryManagement_ExportImport)] public async Task<IActionResult> Export()

    Steps to repro:

    • Add one or more tenants
    • Give the permission to host , and remove from the tenant
    • Get token with tenant admin and make request to the Export method and get 200 result code ( this must be 403 but returns 200)
    • Remove the permission from host admin, get new token with tenant admin and make request to Export method and get 403 result code

    As a result, when permission is granted to the host admin, all tenant admins without permission access the resource

  • 0
    maliming created
    Support Team

    hi

    Get token with tenant admin and make request to the Export method and get 200 result code ( this must be 403 but returns 200)

    Can you check your token claims on https://jwt.io/ ?

  • 0
    safak.bal created

    Host admin token { "nbf": 1620373769, "exp": 1651909769, "iss": "/ca-identity", "aud": "CA", "client_id": "CA_App", "sub": "c078ca72-4869-5383-7919-39fb0586c555", "auth_time": 1620373762, "idp": "local", "role": "admin", "phone_number_verified": "False", "email": "[email protected]", "email_verified": "False", "name": "admin", "sid": "2772ED5FA9773ADB01C8DCDF6B6E44D2", "iat": 1620373769, "scope": [ "openid", "CA", "offline_access" ], "amr": [ "pwd" ] }

    Tenant admin token

    { "nbf": 1620373904, "exp": 1651909904, "iss": "/ca-identity", "aud": "CA", "client_id": "CA_App", "sub": "1f1207be-c392-3215-258e-39fb05868f66", "auth_time": 1620373896, "idp": "local", "tenantid": "0748e09a-d518-92fb-df3a-39fb058627cc", "role": "admin", "phone_number_verified": "False", "email": "[email protected]", "email_verified": "False", "name": "admin", "sid": "AB62428E55B0BFB174AFD6FB1B8DBDCE", "iat": 1620373904, "scope": [ "openid", "CA", "offline_access" ], "amr": [ "pwd" ] }

    is there a problem? when host admin has the permission the tenant token also making request and getting 200, but when i remove the permission from host admin role than bot tokens getting 403

  • 0
    maliming created
    Support Team

    hi

    I haven't reproduced your problem, I think you may have used the wrong token.

    Can you share a simple demo project? [email protected]

  • 0
    safak.bal created

    Hi, i am sure using correct tokens, which i sent you the claims

  • 0
    maliming created
    Support Team

    hi

    Can you share a simple demo project to reproduce this problem? [email protected]