Users with low privileges can see logged operations they shouldn't be able to see --------------------------------------------------------------------------------- Key: WFCORE-1435 URL: https://issues.jboss.org/browse/WFCORE-1435 Project: WildFly Core Issue Type: Bug Components: Domain Management Affects Versions: 2.1.0.CR1 Reporter: ehsavoie Hugonnet Assignee: ehsavoie Hugonnet Priority: Critical Fix For: 2.1.0.CR2 If a SuperUser performs for example this: {noformat} /core-service=management/access=audit/in-memory-handler=y:add /core-service=management/access=audit/in-memory-handler=y:write-attribute(name=max-history,value=50) {noformat} then a Monitor user shouldn't be able to see this in the configuration change log (as decided in EAP7-89), because he doesn't even have the permission to "read" the manipulated resource.. But actually he can see it: {noformat} /core-service=management/service=configuration-changes:list-changes { "outcome" => "success", "result" => [ { "operation-date" => "2016-03-15T08:40:25.807Z", "access-mechanism" => "NATIVE", "remote-address" => "127.0.0.1/127.0.0.1", "outcome" => "success", "operations" => [{ "operation" => "write-attribute", "address" => [ ("core-service" => "management"), ("access" => "audit"), ("in-memory-handler" => "y") ] }] }, { "operation-date" => "2016-03-15T08:40:25.809Z", "access-mechanism" => "NATIVE", "remote-address" => "127.0.0.1/127.0.0.1", "outcome" => "success", "operations" => [{ "operation" => "add", "address" => [ ("core-service" => "management"), ("access" => "audit"), ("in-memory-handler" => "y") ] }] } ] } {noformat}