[
https://issues.apache.org/jira/browse/QPID-7703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15924056#comment-15924056
]
Rob Godfrey commented on QPID-7703:
-----------------------------------
I would argue that if you have the permission to delete the queue (or exchange)
then you shouldn't need to also have permission to unbind.
Similarly if you have permission to delete a vhost you shouldn't need to have
permission to delete queues, exchanges, etc...
> [Java Broker] 'Unbind' privilege is not checked for removal of queue
> bindings on queue deletion
> ------------------------------------------------------------------------------------------------
>
> Key: QPID-7703
> URL: https://issues.apache.org/jira/browse/QPID-7703
> Project: Qpid
> Issue Type: Bug
> Components: Java Broker
> Affects Versions: qpid-java-broker-7.0.0
> Reporter: Alex Rudyy
>
> As part of changes in QPID-6028 the queue binding implementation was changed
> and responsibilities to create and remove bindings were moved into Exchange
> operations 'bind' and 'unbind' accordingly. The exchanges are now
> responsible for performing authorization checks for 'bind' and 'unbind'
> operations. However, on queue deletion, the queue bindings are removed
> without performing 'unbind' authorization checks which is a change in
> behaviour comparing with previous 6.x releases. We need to decide whether we
> need to restore previous behaviour and enforce 'unbind' ACL check on queue
> deletion or keep existing functionality.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
