[ https://issues.apache.org/jira/browse/RANGER-4546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17790524#comment-17790524 ]
Pradeep Agrawal commented on RANGER-4546: ----------------------------------------- Review request link : https://reviews.apache.org/r/74763/ > /assets/ugsyncAudits/{sync_source} API is accessible by user without > permission on audit module > ----------------------------------------------------------------------------------------------- > > Key: RANGER-4546 > URL: https://issues.apache.org/jira/browse/RANGER-4546 > Project: Ranger > Issue Type: Bug > Components: Ranger > Reporter: Abhishek > Assignee: Pradeep Agrawal > Priority: Major > Fix For: 3.0.0 > > Attachments: > 0002-RANGER-4546-assets-ugsyncAudits-sync_source-API-is-a.patch > > > A user without permission on the audits module is able to access the > /assets/ugsyncAudits/\{sync_source} API. > Ideally, the user should not be allowed to access the API, and it should > result in a 403 error. > If the same user tries to access the /assets/ugsyncAudits API, it results in > a 403 error (as expected). > Similarly, the behaviour has to be changed for the > /assets/ugsyncAudits/\{sync_source} API -- This message was sent by Atlassian Jira (v8.20.10#820010)