[jboss-jira] [JBoss JIRA] (WFCORE-1435) Users with low privileges can see logged operations they shouldn't be able to see

Brian Stansberry (JIRA) issues at jboss.org
Tue Mar 15 17:13:00 EDT 2016 

     [ https://issues.jboss.org/browse/WFCORE-1435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brian Stansberry updated WFCORE-1435:
-------------------------------------
    Fix Version/s: 2.1.0.CR2


> Users with low privileges can see logged operations they shouldn't be able to see
> ---------------------------------------------------------------------------------
>
>                 Key: WFCORE-1435
>                 URL: https://issues.jboss.org/browse/WFCORE-1435
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Domain Management
>    Affects Versions: 2.1.0.CR1
>            Reporter: ehsavoie Hugonnet
>            Assignee: ehsavoie Hugonnet
>            Priority: Critical
>             Fix For: 2.1.0.CR2
>
>
> If a SuperUser performs for example this:
> {noformat}
> /core-service=management/access=audit/in-memory-handler=y:add   
> /core-service=management/access=audit/in-memory-handler=y:write-attribute(name=max-history,value=50)
> {noformat}
> then a Monitor user shouldn't be able to see this in the configuration change log (as decided in EAP7-89), because he doesn't even have the permission to "read" the manipulated resource.. But actually he can see it:
> {noformat}
> /core-service=management/service=configuration-changes:list-changes
> {
>     "outcome" => "success",
>     "result" => [
>         {
>             "operation-date" => "2016-03-15T08:40:25.807Z",
>             "access-mechanism" => "NATIVE",
>             "remote-address" => "127.0.0.1/127.0.0.1",
>             "outcome" => "success",
>             "operations" => [{
>                 "operation" => "write-attribute",
>                 "address" => [
>                     ("core-service" => "management"),
>                     ("access" => "audit"),
>                     ("in-memory-handler" => "y")
>                 ]
>             }]
>         },
>         {
>             "operation-date" => "2016-03-15T08:40:25.809Z",
>             "access-mechanism" => "NATIVE",
>             "remote-address" => "127.0.0.1/127.0.0.1",
>             "outcome" => "success",
>             "operations" => [{
>                 "operation" => "add",
>                 "address" => [
>                     ("core-service" => "management"),
>                     ("access" => "audit"),
>                     ("in-memory-handler" => "y")
>                 ]
>             }]
>         }
>     ]
> }
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list