Activities of "auxo-devsu"

Could you please share with me the code reference so I know where ABP populates ICurrentUser? I'm a commercial customer, but I'm happy with a reference to the open-source version, too.

Thanks, Osmar

Thank you, this was helpful!

A couple of additional questions on top of what I sent before:

1. This could break a lot of built-in functionality, and I'm not sure it's feasible. Could you please expand on what you think would break and why?
2. I am creating my own implementation of ICurrentUser and that seems to be the right direction in terms of passing the correct ID to ABP. How does ABP handle the claims received by Auth Server? Does ABP have anything in between the Auth Server and how claims get populated within the ClaimsPrincipal?

Thanks.

I spent the day looking into this, but unfortunately, as we are ABP Commercial customers, I can't see what IdentityPro registers. I would like to know which services to rewrite, which claims my users have to have, and how to ensure that tenant information and the current user are populated correctly.

• ABP Framework version: v8.1.0
• UI Type: MVC
• Database System: EF Core (SQL Server)
• Tiered (for MVC) or Auth Server Separated (for Angular): tiered
• Exception message and full stack trace:
• Steps to reproduce the issue:

Hi,

I'm replacing ABP's AuthServer with Auth0. I can authenticate users on Auth0, but that's the easiest part. To make things easier, I'm tackling one problem at a time. Please, note that I have looked at the docs and I didn't find anything pointing me in the right direction.

**I want to log into Admin Web Portal using my Auth0 user **

I have successfully configured the authentication to switch from Auth0 to Auth Server - both can authenticate, but only Auth Server authorises users.

**My questions are: **

1. How do I let the authenticated user see the links and menus post-authentication?
2. How do I ensure that ICurrentTenant has the correct tenant post-login?
3. How do I ensure that CurrentUser.IsAuthenticated gets updated correctly? I can see that HttpContext.User.IsAuthenticated is equals true, but CurrentUser.IsAuthenticated is always false.

Thanks in advance.

Thanks!

Regarding Item 1, I will try to work with that but so far no luck.

Regarding Item 2, this is what I've done but no luck too:

What am I missing?

I'm sorry, but I checked both documents before coming here; otherwise, I wouldn't have created a ticket.

If you refuse to give me an answer, that's OK. I have a fully functional system, but I can't see how I can remove the permission groups in either document you have suggested so far. If that's as simple as you suggested, I would really appreciate if you could copy something from the actual page that indicates how to do what I am asking.

Sorry, maybe I'm missing something here.

1. I would like to delete the permission groups above. What are the options I have for doing that?

How does this help deleting the groups I posted in my question? I would like to have permissions that I no longer define deleted from the application.

2. I would like to define the permissions of a given role. What are the options I have for doing that? Currently, I create my roles using IdentityRoleManager.CreateAsync and then the permissions are loaded into the system through the class inheriting from PermissionDefinitionProvider. If I am to create my roles and associate the default permissions for my role, are you saying that I create group.AddPermission("MyPermissionName").WithProviders("IdentityRoleName); ?

3. How do I ensure that new tenants being created always get the latest set of default permissions for the application? I'm on ABP commercial and would like to ensure that new tenants have the roles and also the permissions associated with the role created by default. If I do what is explained in step 2, do I achieve what I would like to?

4. Can I disable the out-of-the-box admin role? How do I do that?

Thanks

• ABP Framework version: v8.0.0
• UI Type: Angular / MVC / Blazor WASM / Blazor Server
• Database System: EF Core (SQL Server)

I'm struggling to get around how to manage permissions, permissions no longer used and permissions per role.

1. I would like to delete the permission groups above. What are the options I have for doing that?
2. I would like to define the permissions of a given role. What are the options I have for doing that?
3. How do I ensure that new tenants being created always get the latest set of default permissions for the application?
4. Can I disable the out-of-the-box admin role?

Thanks!

That sounds good! Thank you!

• ABP Framework version: v8.0.0
• UI Type: MVC
• Database System: EF Core (SQL Server)
• Tiered (for MVC) or Auth Server Separated (for Angular): separated

Hi,

Over the last 11 months, we've been using ABP, and we are happy about it. However, I have been ignoring some key security alerts emitted by GitHub Dependabot and I'd like to know if the ABP team is currently using something along the lines and, also, when there will be an update to the following vulnerabilities:

HIGH

• uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) via IPv4-mapped IPv6 addresses.
  • @volo/account@8.0.0 requires uppy@^1.16.1 via @abp/uppy@8.0.0.
  • Patched version is 2.3.3
• This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
  • @volo/abp.aspnetcore.mvc.ui.theme.leptonx@3.0.0 requires glob-parent@^3.1.0 via a transitive dependency on chokidar@2.1.8 @volo/account@8.0.0 requires glob-parent@^3.1.0 via a transitive dependency on chokidar@2.1.8 @volo/abp.aspnetcore.mvc.ui.theme.leptonx@3.0.0 requires glob-parent@^3.1.0 via a transitive dependency on glob-stream@6.1.0 @volo/account@8.0.0 requires glob-parent@^3.1.0 via a transitive dependency on glob-stream@6.1.0
  • Patched version is 5.1.2

MEDIUM

• ReDoS in Sec-Websocket-Protocol header - A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.
  • @volo/account@8.0.0 requires ws@~6.1.0 via a transitive dependency on engine.io-client@3.3.3
  • The earliest fixed version is 6.2.2.

LOW

• sweetalert2 v11.6.14 and above contains potentially undesirable behavior - sweetalert2 versions 11.6.14 and above have potentially undesirable behavior. The package outputs audio and/or video messages that do not pertain to the functionality of the package when run on specific tlds. This functionality is documented on the project's readme

Please, let me know how I can ensure my apps are up-to-date and compliant with the latest security standards. Thanks!