I am unable to install 11.0.0 rc-1. When trying to run Update-Database in the Package Manager Console I get an error:
An error occurred while accessing the Microsoft.Extensions.Hosting services. Continuing without the application service provider. Error: The configuration file 'secrets.json' was not found and is not optional. The expected physical path was 'D:\Data\Business\Git Repos\OE_Tenant_11_rc1\OE_Tenant\src\OE_Tenant.Web.Mvc\secrets.json'.
There is no such file in the downloaded Zip file and the installation instructions have not been updated to provide any guidance on how to install 11.0.0 rc-1 or what the secrets.json file does or how it is created
I see that 11.0.0 rc-1 is now available but the other dropdown for the .NET version only lists .NET 5.
Is 11.0.0 rc-1 for ASP.NET Core MVC & Jquery a .NET 6.0 solution?
Here is a screen shot of 10.3 Net Core 5 Jquery showing the hardcoded value of 3. The initial install has no value for password length in the AbpSettings table. The first time you edit something on the Settings\Security page values get written to the AbpSettings table but then I can even set the password length to 1
16 2021-05-25 21:24:46.9635847 2 2021-05-25 21:27:40.7215188 2 Abp.Zero.UserManagement.PasswordComplexity.RequiredLength 1 NULL 1
The code is in \Admin\Controllers\UsersController.cs starting at line 79
I think this is the 10.3 code
public async Task<PartialViewResult> CreateOrEditModal(long? id)
{
var output = await _userAppService.GetUserForEdit(new NullableIdDto<long> {Id = id});
var viewModel = ObjectMapper.Map<CreateOrEditUserModalViewModel>(output);
viewModel.PasswordComplexitySetting = await _passwordComplexitySettingStore.GetSettingsAsync();
return PartialView("_CreateOrEditModal", viewModel);
}
This is the code from 8.5 and where we added the password length to the viewmodel \Admin\Controllers\UsersController.cs starting at line 77
[AbpMvcAuthorize(AppPermissions.Pages_Administration_Users_Create, AppPermissions.Pages_Administration_Users_Edit)]
public async Task<PartialViewResult> CreateOrEditModal(long? id)
{
var output = await _userAppService.GetUserForEdit(new NullableIdDto<long> { Id = id });
var viewModel = ObjectMapper.Map<CreateOrEditUserModalViewModel>(output);
viewModel.PasswordComplexitySetting = await _passwordComplexitySettingStore.GetSettingsAsync();
** viewModel.PasswordComplexitySetting.RequiredLength = 12;**
return PartialView("_CreateOrEditModal", viewModel);
}
A sloppy Tenant can create an incredibly unsafe site with these defaults. There should be a default minimum length should be something that can be edited in appsettings rather than having to rewrite core code to prevent Users from saving an unsafe password length to the database.
10.3 MVC .net Core
Testing out the latest version to work out upgrading from 8.5. I am trying toi minimize the amoubnt of custom coding I need to do to make it easier to update future versions. One thing that is still set still hardcoded in the app is password length of 3 which is of course not an acceptable value. It would be really great if this essential security element could be set in appsettings rather than having to redo the code every time.
This is a multitenant application. I login as Host and then go to a Tenant and select a User to login as (User A). User A has a Role that allows for adding Users but not Roles. As User A role I can see all the Users in the User Grid. As User A I can click the Active button and select someone who is and Admin with higher levels of Permissions than I have and click Login as this User Admin B. Now I have full Admin permissions and see the Roles link which I did not have access to as User A. Then of course I can create new Roles and even extend User A's Permissions. In theory I should not be able to login as Admin B. Is that handled through the Login for Users permission? (the documentation doesn't explain what every checkbox does)
Rick
NetZero 8.5 - ASP.NET Core 3.1 Jquery
We are using NWebSec to add Content Security Policy into ASP.NET Zero 8.5. We’re using nonces on all script tags in the application as such (so using the tag helper):
<script nws-csp-add-nonce="true">
We’re getting a CSP error on the administration pages where the modal window is being loaded.
[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-LxksDtd8QWExYudx431bw42g' 'unsafe-eval' www.google.com cse.google.com kendo.cdn.telerik.com cdnjs.cloudflare.com cdn.jsdelivr.net *.vimeo.com localhost". Either the 'unsafe-inline' keyword, a hash ('sha256-A89G9Jx+cHr6joI5m9XkZvnSPnz+jSxZZlJRNjwuHqc='), or a nonce ('nonce-...') is required to enable inline execution.
I assume we’re getting this error because the content of the modal (CreateOrEditModal) is loading content dynamically (through Ajax). We have added the following configuration in the Startup for NWebSec:
app.UseHsts(options => options.MaxAge(days: 30)); //app.UseNoCacheHttpHeaders(); //Registered after static files, to set headers only for dynamic content. app.UseRedirectValidation(); //Registered after static files, they don't redirect app.UseReferrerPolicy(options => options.StrictOriginWhenCrossOrigin()); //app.UseReferrerPolicy(opts => opts.NoReferrerWhenDowngrade()); app.UseXContentTypeOptions(); app.UseXDownloadOptions(); app.UseXfo(options => options.SameOrigin()); //app.UseXfo(options => options.Deny()); app.UseXRobotsTag(options => options .NoIndex() .NoFollow() .NoArchive() .NoImageIndex() .NoOdp() .NoSnippet() .NoTranslate() ); app.UseXXssProtection(options => options.EnabledWithBlockMode());
app.UseCspReportOnly(options => options
.UpgradeInsecureRequests()
.DefaultSources(s => s
.Self()
.CustomSources("data:")
.CustomSources("https:")
)
.FontSources(s => s
.Self()
.CustomSources("fonts.googleapis.com", "*.fontawesome.com", "kendo.cdn.telerik.com", "*.vimeo.com"))
.FormActions(s => s.Self())
.FrameAncestors(s => s.Self())
.FrameSources(s => s
.Self()
.CustomSources("*.youtube.com", "*.vimeo.com", "app.powerbi.com"))
.ImageSources(s => s
.Self()
.CustomSources("kendo.cdn.telerik.com", "*.youtube.com", "*.vimeo.com", "data:"))
.MediaSources(s => s
.Self()
.CustomSources("*.youtube.com", "*.vimeo.com"))
.ScriptSources(s => s
.Self()
.CustomSources("www.google.com", "cse.google.com", "kendo.cdn.telerik.com", "cdnjs.cloudflare.com", "cdn.jsdelivr.net", "*.vimeo.com", "localhost")
.UnsafeEval() //TODO Required for Kendo
)
.StyleSources(s => s
.Self()
.UnsafeInline()
.CustomSources("*.google.com", "fonts.googleapis.com", "kendo.cdn.telerik.com", "cdn.jsdelivr.net", "*.vimeo.com", "*.youtube.com", "shepherdjs.dev/dist/css/shepherd.css"))
);
Is there a way to get around these exceptions as basically, we can’t enable CSP on the application now since it’ll block all admin pages?
I haven't used the MultiSelect tool so I don't have an answer for you on that. I've found that the HtmlHelpers can be very finicky to configure to get them to work correctly especailly with handling Nulls and Telerik's documentation is poor.
For example:
Create for a DateTimePicker
@(Html.Kendo().DatePicker()
.Name("ContactDate")
.Value("")
.HtmlAttributes(new { placeholder = "month/day/year" })
)
Edit for a DateTimePicker
@(Html.Kendo().DatePicker()
.Name("ContactDate")
.Value(Model.ContactDate)
.HtmlAttributes(new { placeholder = "month/day/year" })
)
In Startup.cs ConfigureServices you need
.AddNewtonsoftJson(options => options.SerializerSettings.ContractResolver = new DefaultContractResolver());
That handles the Pascal Case/Camel Case issue
I have it right above IdentityRegistrar.Register(services);
In following the documentation for Deleting a Theme for NetCore 3/Jquery I noticed that it is missing a step
In Areas -> AppAreaName-> Views-> Layout folder You should also Delete the \ThemeX folder that contains _Layout.cshtml
Thanks for the reply. That had worked for me in 6.91. You are correct. It is not necessary to change the RenderSection. It should be
@RenderSection("Scripts", false)