[ https://issues.apache.org/jira/browse/NIFI-12862?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tamas Palfy reassigned NIFI-12862: ---------------------------------- Assignee: Tamas Palfy > FlowAnalysisResults should leak anauthorized component details > -------------------------------------------------------------- > > Key: NIFI-12862 > URL: https://issues.apache.org/jira/browse/NIFI-12862 > Project: Apache NiFi > Issue Type: Bug > Reporter: Tamas Palfy > Assignee: Tamas Palfy > Priority: Major > > The FlowAnalysisResultEntity hold FlowAnalysisRuleViolationDTO that contain > the name of a violating component as a message describing the violation. This > usually contains details about the violating component. > A user can see these even if they don't have read permission for that > particular component. > In clustered environment the request merger filters out such violations but > in a non-clustered environment there is no such filtering phase. > The FlowAnalysisRuleViolationDTO itself should be built accordingly and leave > certain details blank when the user lacks read permissions. -- This message was sent by Atlassian Jira (v8.20.10#820010)