Prerequisites:
- What is your product version? 10.0
- What is your product type (Angular or MVC)? Angular
- What is product framework type (.net framework or .net core)? .net core
I have noticed that a few of the ApplicationServices in OurProject.Application make use of the Aspnetcore AuthorizeAttributeat class or method-leve, instead of AbpAuthorizeAttribute, namely these:
DynamicPropertyAppService,
DynamicPropertyValueAppService,
DynamicEntityPropertyAppService,
DynamicEntityPropertyValueAppService
PaymentAppService
But it does not seem that this attribute can do anything at the service layer, since these are not aspnetcore controllers. In practice it appears that unauthorized calls can be made. Should I replace with AbpAuthorize? Other services seem to use this, and when used, unauthorized calls are rejected.
1 Answer(s)
-
0
Hi,
Thank you for your report. Yes, AbpAuthorize attribute must be used, we will also fix it https://github.com/aspnetzero/aspnet-zero-core/issues/3721
