markap14 commented on pull request #5072: URL: https://github.com/apache/nifi/pull/5072#issuecomment-901976823
One thing that I noticed is that when a parameter context is updated, we make sure that the user has WRITE permissions to the parameter context and READ permissions to all inherited contexts. But when one is created, if it inherits from other contexts, we do not check if the user has READ permissions to the inherited contexts. (I.e., we check READ for inherited contexts when you update a context but not when we create it) I think if we are modifying the Parameter Context, the permissions checking may need to be a bit more in-depth, too. If you are modifying the parameter context, initially we were saying you only need WRITE to the parameter context in question. But because the list of included parameter contexts may be changing, I think we need to enforce READ on all inherited contexts as well. Specifically, we need to enforce that if you want to update a parameter context, you need WRITE on the parameter context and READ on all parameter contexts that it currently inherits from and READ on all parameter contexts that it will inherit from after the update. For example Parameter Context A, and it currently inheriting from B, and I want to change it to inherit from only C. I need WRITE to Context A and READ to Context B and C. If I just want to change the name for Parameter Context A, I need WRITE to A and READ to B. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
