Hi! In my testing it appears that a user need only be in one for the roles assigned to a layer in order to be granted access to the layer. This appears to be nominal behavior based on the current documentation: https://docs.geoserver.org/stable/en/user/security/layer.html : "If a user belongs to multiple roles, the least restrictive permission they inherit will apply.”
I would like to try a test and change the code to require the user to have all of the roles on the layer instead of just one of them. I would very much appreciate it if someone can help me identify the code that is responsible for this. I’m not familiar with the code base so I was just looking through and found a couple things that look promising but I’m not sure if these control layer access or not. Things I came across and suspect are relevant (but not sure): - SecureTreeNode.java : public boolean canAccess(Authentication user, AccessMode mode) - SecuredLookupServiceImpl.java : private boolean canAccess(Secured sec) Any help would be very much appreciated! I just need to identify the relevant code for this functionality. Note - I’m using the 2.18.1 version released on source forge 23NOV2020. Thanks! -Andy _______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
