@aaron thanks. Strangely I am on v6.4.0 but there seems to have been an issue commotting some of those changes to GIT when upgrading the framework!
Hi,
There appears to be a bug in the custom Application Logo feature. When uploading a custom logo, the logo is not displayed on the app page, but works ok on the login page. On trying to debug it I find that the following line in default-brand-component.html is the issue:
<img *ngIf="appSession.tenant && appSession.tenant.logoId" [src]="remoteServiceBaseUrl + '/TenantCustomization/GetTenantLogo?skin=' + ui.getAsideSkin() + '&tenantId=' + appSession.tenant.id + '&id=' + appSession.tenant.logoId" alt="logo" height="60" />
if I remove the ui.getAsideSkin() element from that line, then it works just fine.
If you look at app-ui-customization.service.ts then that function - getAsideSkin() - is not defined. In fact I cannot find another reference to that function anywhere in the Angular source.
Can you confirm if it is a bug or not? Or am I missing something?
Thanks,
Thanks @ismcagdas. I still think the ability to change the host name and default admin user would be a good future enhancement. however, I will close this off and leave that for the team to decide in the future.
Thanks.
I forgot to add that of course, there is also the option to enforce TFA on all host users. So I agree that while there are ways to make it 'secure' there are additional steps that could be taken to follow good/best practice that we cannot do due to those limitations.
@jims - I have looked at both of those and while you can use those to change other elements of the Admin user such as first name, last name, email etc, you cannot change the user name which is set from AbpUserBase.AdminUserName and the ABP documentation states "UserName of the admin. admin can not be deleted and UserName of the admin can not be changed."
@alper - of course you are correct from the perspective of a pure brute force attack. But that is not how sites are breached. Hackers can use a whole armoury of techniques from phishing to social engineering techniques to gain passwords. Once they have the password, they are in. Unless of course they also needd to know other secrets that where specific to that site, such as the host tenant ID and user name.
For example, an online banking service would NEVER secure access to online accounts only using a password. The customer would also need to set other 'secrets'. These are not even bank account details such as account number or sort code, as these can be easily discovered. They are other secrets such as a user name, a passcode AND a password.
So my main point is that ABP and ASPNET Zero is enforcing that on the template users. The ability to specificy a host tenant ID, or change the default Admin user name seems sensible, then it is the clients decision on if / how they use that ability. Especially if they are using the template for storing sensitive data (perssonal or financial or both) for other tenants.
I will look in to the suggestion of making the 'Admin' passive and creating another user with full permissions which at least may give 2 out of 3 elements.
Thanks
Hi,
I would welcome any thoughts / opinions regarding a security concern with the template.
With a tenant in a multi-tenant setup, to a potential hacker there are three peices of unknon information - the Tenant ID, the user name and the password. However, the host tenant ID/name is 'blank' and cannot (to my understanding) be changed. So that is one variable less that a potential hacker needs to 'guess.' Second, the default admin user for all tenants is 'Admin' and that name cannot be changed (as far as I understand). So for access to the 'host' that in turn can gain access to all tenants just required a passowrd to be cracked/hacked. OK, that is not a simple task I agree but if three bits of information had to be known, then that would be significantly harder.
It therefore seems to be not following best practices by making 2 out of the three key bits of information clearly known (such as in these forums). It would not be so bad if we could easily change the host from a blank name to a unique tenant name, and be able to change 'Admin' to a named user with admin privelages that can be seeded with a new tenant through code - such as the user creating the new tenant.
Does anyone else share these concerns or am I being over sensitive!? Would welcome thoughts/comments.
Thanks
Thank you for your help.
Just purchased the template and the asp-core and angular project build ok.
When building the mobile app on either Windows or Mac VS I get an error that 'DependencyResolver' is an ambiguous reference between 'myApp_Test.Core.Dependency.DependencyResolver' and 'Xamarin.Forms.Internals.DependencyResolver' myApp_Test.Mobile.Shared C:\Users\xyz \aspnet-core\src\MyApp_Test.Mobile.Shared\ViewModels\MainViewModel.cs
Could anyone help to point me in the right direction? I have updated all the packages for the solution.
When downloading the template I selected latest version of ASP.NEt Core 2 + Angular
Thanks