[jira] [Work logged] (ARTEMIS-5894) The web console shows menu items for unauthorized operations

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/ARTEMIS-5894?focusedWorklogId=1004442&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1004442
 ]

ASF GitHub Bot logged work on ARTEMIS-5894:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 10/Feb/26 17:29
            Start Date: 10/Feb/26 17:29
    Worklog Time Spent: 10m 
      Work Description: brusdev opened a new pull request, #6232:
URL: https://github.com/apache/artemis/pull/6232

   The canInvoke method received operation names with parameter signatures 
(e.g., "deleteAddress(java.lang.String)"), while invoke received them without 
signatures (e.g., "deleteAddress"). This caused the RBAC address built by 
canInvoke to differ from the one built by invoke, leading to permission check 
mismatches that prevented the console from properly hiding unauthorized menu 
items.
   
   This fix normalizes operation names by stripping parameter signatures before 
building RBAC addresses in both canInvoke and invoke. Also changes null 
operation checks to require VIEW instead of EDIT permission, allowing users to 
see MBeans they have view access to.




Issue Time Tracking
-------------------

            Worklog Id:     (was: 1004442)
    Remaining Estimate: 0h
            Time Spent: 10m

> The web console shows menu items for unauthorized operations
> ------------------------------------------------------------
>
>                 Key: ARTEMIS-5894
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-5894
>             Project: Artemis
>          Issue Type: Bug
>         Environment: When utilizing ArtemisRbacMBeanServerBuilder for 
> Role-Based Access Control (RBAC) on management operations, the web console 
> fails to hide menu items for unauthorized actions.
> For instance, a user without the amq role can still see the "Delete Address" 
> menu item, even when the following security configuration is applied to 
> restrict access:
> {code:java}
> <security-setting match="mops.broker.deleteAddress">
>    <permission type="edit" roles="amq"/>
> </security-setting>
> {code}
> The web console should dynamically filter the user interface. If a user lacks 
> the required permission for a specific management operation (e.g., 
> deleteAddress), the corresponding menu item should be hidden from their view.
>            Reporter: Domenico Francesco Bruscino
>            Assignee: Domenico Francesco Bruscino
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 10m
>  Remaining Estimate: 0h
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@artemis.apache.org
For additional commands, e-mail: issues-h...@artemis.apache.org