Pan, Julian created KYLIN-2938: ---------------------------------- Summary: Project Update ACL issue Key: KYLIN-2938 URL: https://issues.apache.org/jira/browse/KYLIN-2938 Project: Kylin Issue Type: Bug Components: REST Service Affects Versions: v2.1.0 Reporter: Pan, Julian Assignee: Zhong,Jason
I noticed there different security between updateProject and renameProject in ProjectService. @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN + " or hasPermission(#currentProject, 'ADMINISTRATION') or hasPermission(#currentProject, 'MANAGEMENT')") updateProject @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN + " or hasPermission(#currentProject, 'ADMINISTRATION')") renameProject Even updateProject will call renameProject. Which will throws exception if user is MANAGEMENT role. The renameProject should be same security check with updateProject. -- This message was sent by Atlassian JIRA (v6.4.14#64029)