Github user mcgilman commented on a diff in the pull request:
https://github.com/apache/nifi/pull/698#discussion_r71818711
--- Diff:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/main/java/org/apache/nifi/controller/FlowController.java
---
@@ -2147,9 +2147,15 @@ public ProcessGroupStatus getGroupStatus(final
ProcessGroup group, final Reposit
return null;
}
+ // if the user is null, this is not a web request so we need to
treat as authorized - this is the case when
+ // gather status for history in a background thread... we then
will check the access of the user when pulling
+ // back history...
+ final NiFiUser user = NiFiUserUtils.getNiFiUser();
+ final boolean isAuthorized = user == null ? true :
group.isAuthorized(authorizer, RequestAction.READ, user);
--- End diff --
When handling a web request, the user will always be available. When this
method is running outside the scope of a web request, there is nothing to
attempt to authorize (nor should we). This conditional authorization seems
appropriate to me. However, I think we can clean up the code to make the
distinction a little more clear and deliberate.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
