search

abpframework / abp

Open-source web application framework for ASP.NET Core! Offers an opinionated architecture to build enterprise software solutions with best practices on top of the .NET. Provides the fundamental infrastructure, cross-cutting-concern implementations, startup templates, application modules, UI themes, tooling and documentation.
https://abp.io
GNU Lesser General Public License v3.0
12.86k stars 3.43k forks source link

Cannot apply security to ABP Docs module #20947

Open jerinantony11 opened 2 weeks ago

jerinantony11 commented 2 weeks ago

Is there an existing issue for this?

Description

I have followed this url [https://abp.io/docs/latest/modules/docs] to implement the docs module. It doesn't say anything about securing the module. The link is available to public outside authentication . Which is a serios issue for us.

Reproduction Steps

Follow the link [https://abp.io/docs/latest/modules/docs] to setup docs module and access the link . The contents can be accessible without authentication.

Expected behavior

There must be a provision to secure the help contents

Actual behavior

Help content is not secured.

Regression?

No response

Known Workarounds

NIL

Version

8

User Interface

Angular

Database Provider

EF Core (Default)

Tiered or separate authentication server

None (Default)

Operation System

Windows (Default)

Other information

No response

realLiangshiwei commented 2 weeks ago

You have to do it yourself. For example you can add a middleware to check the permissions

jerinantony11 commented 2 weeks ago

I wrote a middleware as below `using Company.Tool.Permissions; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using System.Threading.Tasks; using Volo.Abp.Authorization.Permissions; using Volo.Abp.Users; namespace Company.Tool.Middlewares { public class DocumentPermissionMiddleware { private readonly RequestDelegate _next; private readonly IPermissionChecker _permissionChecker; private readonly IAuthorizationService _authorizationService; private readonly ICurrentUser _currentUser; private readonly IHttpContextAccessor _httpContextAccessor; public DocumentPermissionMiddleware(RequestDelegate next , IPermissionChecker permissionChecker , IAuthorizationService authorizationService , ICurrentUser currentUser , IHttpContextAccessor httpContextAccessor) { _next = next; _permissionChecker = permissionChecker; _authorizationService = authorizationService;
_currentUser = currentUser; _httpContextAccessor = httpContextAccessor; }

    public async Task InvokeAsync(HttpContext context)
    {
        // Check if the request is for the '/documents' URL
        if (context.Request.Path.StartsWithSegments("/documents"))
        {
            // Check if the user has the required permission
            var userHasPermission = await CheckUserPermission(context); 
            var userHasPermission1 = await CheckUserPermissionv2(context);
            if (!userHasPermission)
            {
                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
                await context.Response.WriteAsync("Unauthorized access");
                return;
            }
        }
        await _next(context);
    }
    private async Task<bool> CheckUserPermission(HttpContext context)
    {
        return await _permissionChecker.IsGrantedAsync(ToolPermissions.Documentation.View);
    }
    private async Task<bool> CheckUserPermissionv2(HttpContext context)
    {
        return await _authorizationService.IsGrantedAsync(ToolPermissions.Documentation.View);
    }
}

} its called from the HostModule after app.UseAuthentication(); & app.UseAuthorization(); . The permission checker always returns false. Also the httpContextAccessor says unauthenticated . The CurrentUser is also null . I'm using Single Sign Onext.Services.AddAuthentication().AddMicrosoftIdentityWebApp(configuration.GetSection("AzureAd"), cookieScheme: null);`