Github user JPercivall commented on a diff in the pull request:
https://github.com/apache/nifi/pull/698#discussion_r71795555
--- Diff:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/FlowController.java
---
@@ -2147,9 +2147,15 @@ public ProcessGroupStatus getGroupStatus(final
ProcessGroup group, final Reposit
return null;
}
+ // if the user is null, this is not a web request so we need to
treat as authorized - this is the case when
+ // gather status for history in a background thread... we then
will check the access of the user when pulling
+ // back history...
+ final NiFiUser user = NiFiUserUtils.getNiFiUser();
+ final boolean isAuthorized = user == null ? true :
group.isAuthorized(authorizer, RequestAction.READ, user);
--- End diff --
This seems like a very insecure way to do things (if null then authorized).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
