tpalfy commented on code in PR #9093: URL: https://github.com/apache/nifi/pull/9093#discussion_r1684127914
########## nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/authorization/AuthorizeControllerServiceReference.java: ########## @@ -162,7 +162,6 @@ private static void authorize(Authorizer authorizer, AuthorizableLookup lookup, Authorizable serviceAuthorizable = service.getAuthorizable(); serviceAuthorizable.authorize(authorizer, RequestAction.READ, user); - serviceAuthorizable.authorize(authorizer, RequestAction.WRITE, user); Review Comment: @markap14 this change is basically a fix for https://issues.apache.org/jira/browse/NIFI-9895. I thought hard and this change looks reasonable for me. But maybe I'm missing something. Could there be a reason to allow the change of a controller service reference only to users who have write access to that controller service - when it's referenced via a parameter context? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org