add security to AppSettings #11196

sedulen created one year ago

What is your product version? v11.2.0
What is your product type (Angular or MVC)? Angular
What is product framework type (.net framework or .net core)? .net 6

In performing a security audit of an application I manage, I observed that in the AbpUserConfiguration/GetAll endpoint, in the response json, under "setting.values", all of the application settings are returned. In reviewing the custom AppSettings that I have added to this platform, there are several that I do not want returned to any public / anonymous external client. Additionally, I have some settings that I do not want returned to authorized / authenticated clients either. These settings are strictly accessible under the Administration UI for setting management, which are then used only server-side for processing and execution.

As an idea, I was thinking either in the AppSettings or in SettingDefinition, adding the ability to add an authorization boundary, similar to MultiTenancySides, and then a set of optional required permissions.

The authorization boundary would drive AbpUserConfiguration for retrieving settings, and would only return those settings that were appropriately defined (or attributed). So when loading the login page, I would only load those settings that were made available to anonymous visitors. Then when loading an authenticated page, I would only load those settings that were available anonymous and authorized visitors, and that matched the current user's permissions set.

I do recognize for AbpUserConfiguration that I can define my own Controller to customize this behavior. That being said, I thought that this could be a valuable feature to include in the base ABP or ANZ frameworks.

Thoughts?

Thanks! -Brian

add security to AppSettings #11196

2 Answer(s)