Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-1435

Users with low privileges can see logged operations they shouldn't be able to see

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 2.1.0.Final
    • 2.1.0.CR1
    • Management
    • None

      If a SuperUser performs for example this:

      /core-service=management/access=audit/in-memory-handler=y:add   
      /core-service=management/access=audit/in-memory-handler=y:write-attribute(name=max-history,value=50)
      

      then a Monitor user shouldn't be able to see this in the configuration change log (as decided in EAP7-89), because he doesn't even have the permission to "read" the manipulated resource.. But actually he can see it:

      /core-service=management/service=configuration-changes:list-changes
      {
          "outcome" => "success",
          "result" => [
              {
                  "operation-date" => "2016-03-15T08:40:25.807Z",
                  "access-mechanism" => "NATIVE",
                  "remote-address" => "127.0.0.1/127.0.0.1",
                  "outcome" => "success",
                  "operations" => [{
                      "operation" => "write-attribute",
                      "address" => [
                          ("core-service" => "management"),
                          ("access" => "audit"),
                          ("in-memory-handler" => "y")
                      ]
                  }]
              },
              {
                  "operation-date" => "2016-03-15T08:40:25.809Z",
                  "access-mechanism" => "NATIVE",
                  "remote-address" => "127.0.0.1/127.0.0.1",
                  "outcome" => "success",
                  "operations" => [{
                      "operation" => "add",
                      "address" => [
                          ("core-service" => "management"),
                          ("access" => "audit"),
                          ("in-memory-handler" => "y")
                      ]
                  }]
              }
          ]
      }
      

              ehugonne1@redhat.com Emmanuel Hugonnet
              ehugonne1@redhat.com Emmanuel Hugonnet
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: