[
https://issues.apache.org/jira/browse/NIFI-12862?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17827188#comment-17827188
]
ASF subversion and git services commented on NIFI-12862:
--------------------------------------------------------
Commit c093ea54b77c816d94a23c7af19f97f96baa7d2f in nifi's branch
refs/heads/main from Tamas Palfy
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=c093ea54b7 ]
NIFI-12862 When building FlowAnalysisRuleViolationDTO objects (in
StandardNiFiServiceFacade), violating component details will be left blank when
user has no read permission for that component.
NIFI-12862 Expose subjectComponentType to frontend.
Signed-off-by: Pierre Villard <[email protected]>
This closes #8475.
> FlowAnalysisResults should not leak anauthorized component details
> ------------------------------------------------------------------
>
> Key: NIFI-12862
> URL: https://issues.apache.org/jira/browse/NIFI-12862
> Project: Apache NiFi
> Issue Type: Bug
> Reporter: Tamas Palfy
> Assignee: Tamas Palfy
> Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> The FlowAnalysisResultEntity hold FlowAnalysisRuleViolationDTO that contain
> the name of a violating component as a message describing the violation. This
> usually contains details about the violating component.
> A user can see these even if they don't have read permission for that
> particular component.
> In clustered environment the request merger filters out such violations but
> in a non-clustered environment there is no such filtering phase.
> The FlowAnalysisRuleViolationDTO itself should be built accordingly and leave
> certain details blank when the user lacks read permissions.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
