ocket8888 commented on code in PR #7688:
URL: https://github.com/apache/trafficcontrol/pull/7688#discussion_r1281278092
##########
traffic_ops/traffic_ops_golang/parameter/parameters.go:
##########
@@ -176,10 +176,14 @@ func (param *TOParameter) Read(h http.Header, useIMS
bool) ([]interface{}, error
return nil, nil, errors.New("scanning " +
param.GetType() + ": " + err.Error()), http.StatusInternalServerError, nil
}
if p.Secure != nil && *p.Secure {
- if param.ReqInfo.Version.Major >= 4 &&
- param.ReqInfo.Config.RoleBasedPermissions &&
-
!param.ReqInfo.User.Can("PARAMETER-SECURE:READ") {
- p.Value = &HiddenField
+ if param.ReqInfo.Version.Major >= 4 {
+ if param.ReqInfo.Config.RoleBasedPermissions {
+ if
!param.ReqInfo.User.Can("PARAMETER-SECURE:READ") {
+ p.Value = &HiddenField
+ }
+ } else if param.ReqInfo.User.PrivLevel <
auth.PrivLevelAdmin {
+ p.Value = &HiddenField
+ }
Review Comment:
So in APIv5 and later we want to not consider "Priv Level" no matter what.
The configuration file option that does that is not meant to act on APIv5 - but
it currently does. So far that's fine because APIv5 isn't released, but it's
something we need to fix. The question, then, is do you want to do that here
right now, or leave it consistent with the rest of the server's behavior and
then when that's fixed someone will need to remember to fix this, too?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
