tpalfy commented on code in PR #9093:
URL: https://github.com/apache/nifi/pull/9093#discussion_r1684127914
##########
nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizeControllerServiceReference.java:
##########
@@ -162,7 +162,6 @@ private static void authorize(Authorizer authorizer,
AuthorizableLookup lookup,
Authorizable serviceAuthorizable = service.getAuthorizable();
serviceAuthorizable.authorize(authorizer, RequestAction.READ,
user);
- serviceAuthorizable.authorize(authorizer, RequestAction.WRITE,
user);
Review Comment:
@markap14 this change is basically a fix for
https://issues.apache.org/jira/browse/NIFI-9895. I thought hard and this change
looks reasonable for me. But maybe I'm missing something. Could there be a
reason to allow the change of a controller service reference only to users who
have write access to that controller service - when it's referenced via a
parameter context?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
