RongtongJin commented on code in PR #10448:
URL: https://github.com/apache/rocketmq/pull/10448#discussion_r3386082952
##########
remoting/src/main/java/org/apache/rocketmq/remoting/protocol/RequestCode.java:
##########
@@ -311,4 +311,7 @@ public class RequestCode {
public static final int AUTH_LIST_ACL = 3010;
public static final int SWITCH_TIMER_ENGINE = 5001;
+
+ public static final int DELETE_TOPIC_IN_BROKER_LIST = 5002;
+ public static final int DELETE_SUBSCRIPTIONGROUP_LIST = 5003;
Review Comment:
These new destructive request codes are not associated with any
`CommandCustomHeader` annotated with `@RocketMQAction` / `@RocketMQResource`.
The authorization builder resolves actions through `RequestHeaderRegistry`,
which only scans annotated request headers; these batch APIs send `null` custom
headers and put the topic/group list in the body, so authorization can produce
an empty context list and allow the request without checking DELETE permission.
Please add annotated headers for these request codes, or explicitly teach the
authorization builder to parse these bodies and create DELETE contexts for each
topic/group.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
