Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-10627

Security API should not let users create permission with collection:null for per collection permissions

    XMLWordPrintableJSON

Details

    Description

      Users end up creating permissions like

      {
      "collection":null,
      "name": "update",
      "role": "some-role"
      }
      

      They expect this to secure the update operations. This does not work and does not protect any operation

      The security API should throw an error when such a permission is created . For the well-known permissions, we already know the value of collection .

      • if collection:null is specified for a per-collection permission, that should be ignored
      • for permissions where collection is not required , such as collection-admin-edit , security-edit , value of collection is null anyway , no other value should be allowed to be specified

      Attachments

        Activity

          People

            noble.paul Noble Paul
            noble.paul Noble Paul
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: