Hi guys,
When the CreateOrUpdateUser method is logged, the password is logged in plain text. This is a big security issue, as the logs could be used to compromise the system.
Can you add a setting to disable logging of sensitive information?
Thanks,
Dave
3 Answer(s)
-
0
Hi,
You can add [DisableAuditing] attribute to Password field of UserEditDto class. See <a class="postlink" href="http://aspnetboilerplate.com/Pages/Documents/Audit-Logging#DocEnableDisableByAttrs">http://aspnetboilerplate.com/Pages/Docu ... bleByAttrs</a>. We will also add this, thanks for informing us. I have also created an issue in github <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero/issues/384">https://github.com/aspnetzero/aspnet-zero/issues/384</a>
-
0
I have an Zero app that still uses apb 0.8.4.0 which means I am unable to add the disable auditing attribute to the password property. I can only add it to the CreateOrUpdateUser method. I would rather not add it to the method since I would ultimately like to log when a user is either creating or editing another user.
I tried a couple of different things. I tried creating a new attribute like this...
/// <summary> /// Used to disable auditing for a single method or /// all methods of a class or interface. /// </summary> [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method | AttributeTargets.Property)] public class DisableAuditingPropertyAttribute : Attribute { }But that did not work. I also tried inheriting from the original DisableAuditingAttribute but that didn't work either. It kept logging the password.
[AttributeUsage(AttributeTargets.Property)] public class DisableAuditingPropertyAttribute : DisableAuditingAttribute { }Does anyone have any ideas for the older version of abp? I must be missing something.
-
0
Hi,
You need to upgrade ABP to at least 0.9.0. See the issue <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/646">https://github.com/aspnetboilerplate/as ... issues/646</a>
