gresockj commented on pull request #5072: URL: https://github.com/apache/nifi/pull/5072#issuecomment-902582782
> One thing that I noticed is that when a parameter context is updated, we make sure that the user has WRITE permissions to the parameter context and READ permissions to all inherited contexts. But when one is created, if it inherits from other contexts, we do not check if the user has READ permissions to the inherited contexts. (I.e., we check READ for inherited contexts when you update a context but not when we create it) > > I think if we are modifying the Parameter Context, the permissions checking may need to be a bit more in-depth, too. If you are modifying the parameter context, initially we were saying you only need WRITE to the parameter context in question. But because the list of included parameter contexts may be changing, I think we need to enforce READ on all inherited contexts as well. Specifically, we need to enforce that if you want to update a parameter context, you need WRITE on the parameter context and READ on all parameter contexts that it currently inherits from and READ on all parameter contexts that it will inherit from after the update. For example Parameter Context A, and it currently inheriting from B, and I want to change it to inherit from only C. I need WRITE to Context A and READ to Context B and C. If I just want to change the name for Parameter Context A, I need WRITE to A and READ to B. Thanks @markap14, great idea with the permissions. I made this adjustment and pushed the changes. Although I agree that generally you should require READ on inherited parameter contexts, I'm wondering more about the case of removing an inherited parameter context. As it is described above (and in the code now), if I suddenly discover I no longer have access to an inherited parameter context (Context B above), I can not remove it from Context A. Perhaps this is okay, in that the solution would be for me to contact the administrator, who could remove it, but I just wanted to point out that users might expect they could at least remove an inherited Context they didn't have access to. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
