-
Bug
-
Resolution: Done
-
Blocker
-
7.0.0.ER6
-
None
If a SuperUser performs for example this:
/core-service=management/access=audit/in-memory-handler=y:add /core-service=management/access=audit/in-memory-handler=y:write-attribute(name=max-history,value=50)
then a Monitor user shouldn't be able to see this in the configuration change log (as decided in EAP7-89), because he doesn't even have the permission to "read" the manipulated resource.. But actually he can see it:
/core-service=management/service=configuration-changes:list-changes { "outcome" => "success", "result" => [ { "operation-date" => "2016-03-15T08:40:25.807Z", "access-mechanism" => "NATIVE", "remote-address" => "127.0.0.1/127.0.0.1", "outcome" => "success", "operations" => [{ "operation" => "write-attribute", "address" => [ ("core-service" => "management"), ("access" => "audit"), ("in-memory-handler" => "y") ] }] }, { "operation-date" => "2016-03-15T08:40:25.809Z", "access-mechanism" => "NATIVE", "remote-address" => "127.0.0.1/127.0.0.1", "outcome" => "success", "operations" => [{ "operation" => "add", "address" => [ ("core-service" => "management"), ("access" => "audit"), ("in-memory-handler" => "y") ] }] } ] }
- is cloned by
-
WFCORE-1435 Users with low privileges can see logged operations they shouldn't be able to see
- Resolved