- What is your product version? v11.2.0
- What is your product type (Angular or MVC)? Angular
- What is product framework type (.net framework or .net core)? .net 6
In performing a security audit of an application I manage, I observed that in the
AbpUserConfiguration/GetAll endpoint, in the response json, under "setting.values", all of the application settings are returned. In reviewing the custom AppSettings that I have added to this platform, there are several that I do not want returned to any public / anonymous external client. Additionally, I have some settings that I do not want returned to authorized / authenticated clients either. These settings are strictly accessible under the Administration UI for setting management, which are then used only server-side for processing and execution.
As an idea, I was thinking either in the
AppSettings or in
SettingDefinition, adding the ability to add an authorization boundary, similar to MultiTenancySides, and then a set of optional required permissions.
The authorization boundary would drive
AbpUserConfiguration for retrieving settings, and would only return those settings that were appropriately defined (or attributed).
So when loading the login page, I would only load those settings that were made available to anonymous visitors.
Then when loading an authenticated page, I would only load those settings that were available anonymous and authorized visitors, and that matched the current user's permissions set.
I do recognize for
AbpUserConfiguration that I can define my own Controller to customize this behavior. That being said, I thought that this could be a valuable feature to include in the base ABP or ANZ frameworks.
Currently, you can set ClientVisibilityProvider for each setting definition. see https://aspnetboilerplate.com/Pages/Documents/Setting-Management#client-side. I think this might work for you. You can also create your own