david-golightly-leapyear opened a new pull request #3926: URL: https://github.com/apache/zeppelin/pull/3926
### What is this PR for? As described in the linked issue, there has been a bug where, when a user creates or updates a note, that user's note list is published to all connected users, instead of their own note lists. This has the security problem that it leaks information about a user's note list to other users who may not have permission to see it. This PR fixes that bug by querying each connected user's note list and publishing that instead. ### What type of PR is it? Bug Fix ### What is the Jira issue? https://issues.apache.org/jira/browse/ZEPPELIN-5061 ### How should this be tested? Manual testing: * Configure a list of users using a `shiro.ini` file. Example: ``` [users] # List of users with their password allowed to access Zeppelin. # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections admin = password1, admin user1 = password2, role1 user2 = password3, role1 ``` * Turn off public notebooks in `zeppelin-site.xml` by setting the property `zeppelin.notebook.public` to `false` * Boot Zeppelin server on this PR * Log in as user1 * In a separate browser, log in as user2 * As user1, create a note Previous result: user1's note appears on user2's dashboard. Refreshing user2's browser will cause the note to disappear from their dashboard. Fixed expectations: - user1's note does not appear on user2's dashboard. - the display of any notes created by user1 is not affected when user2 creates a note - when `zeppelin.notebook.public` is set to `true`, user1's note appears as expected on user1's dashboard ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
