[jboss-jira] [JBoss JIRA] (WFCORE-1435) Users with low privileges can see logged operations they shouldn't be able to see

ehsavoie Hugonnet (JIRA) issues at jboss.org
Tue Mar 15 13:51:00 EDT 2016 

     [ https://issues.jboss.org/browse/WFCORE-1435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

ehsavoie Hugonnet moved JBEAP-3835 to WFCORE-1435:
--------------------------------------------------

              Project: WildFly Core  (was: JBoss Enterprise Application Platform)
                  Key: WFCORE-1435  (was: JBEAP-3835)
             Workflow: GIT Pull Request workflow   (was: CDW with loose statuses v1)
          Component/s: Domain Management
                           (was: Domain Management)
       Target Release:   (was: 7.0.0.GA)
    Affects Version/s: 2.1.0.CR1
                           (was: 7.0.0.ER6)


> Users with low privileges can see logged operations they shouldn't be able to see
> ---------------------------------------------------------------------------------
>
>                 Key: WFCORE-1435
>                 URL: https://issues.jboss.org/browse/WFCORE-1435
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Domain Management
>    Affects Versions: 2.1.0.CR1
>            Reporter: ehsavoie Hugonnet
>            Assignee: ehsavoie Hugonnet
>            Priority: Critical
>
> If a SuperUser performs for example this:
> {noformat}
> /core-service=management/access=audit/in-memory-handler=y:add   
> /core-service=management/access=audit/in-memory-handler=y:write-attribute(name=max-history,value=50)
> {noformat}
> then a Monitor user shouldn't be able to see this in the configuration change log (as decided in EAP7-89), because he doesn't even have the permission to "read" the manipulated resource.. But actually he can see it:
> {noformat}
> /core-service=management/service=configuration-changes:list-changes
> {
>     "outcome" => "success",
>     "result" => [
>         {
>             "operation-date" => "2016-03-15T08:40:25.807Z",
>             "access-mechanism" => "NATIVE",
>             "remote-address" => "127.0.0.1/127.0.0.1",
>             "outcome" => "success",
>             "operations" => [{
>                 "operation" => "write-attribute",
>                 "address" => [
>                     ("core-service" => "management"),
>                     ("access" => "audit"),
>                     ("in-memory-handler" => "y")
>                 ]
>             }]
>         },
>         {
>             "operation-date" => "2016-03-15T08:40:25.809Z",
>             "access-mechanism" => "NATIVE",
>             "remote-address" => "127.0.0.1/127.0.0.1",
>             "outcome" => "success",
>             "operations" => [{
>                 "operation" => "add",
>                 "address" => [
>                     ("core-service" => "management"),
>                     ("access" => "audit"),
>                     ("in-memory-handler" => "y")
>                 ]
>             }]
>         }
>     ]
> }
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list