[ZEPPELIN-3397] User with read only access can update the permissions of a notebook and gain write access - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Invalid
Affects Version/s: 0.7.3
Fix Version/s: None
Component/s: security
Labels:
None
Environment:

Linux: Centos 7.2

HDP: 2.6.3

Zeppelin: 0.7.3

Description

NOTE: Less of an issue if we prevent user from accessing some of the UI.... https://issues.apache.org/jira/browse/ZEPPELIN-3396 (Tho I think the curl endpoints may also need to be updated)

Currently I have a notebook in which is own by the admin, in which user1 has "Read" access.

As user1, I can click on "Note permissions" and display the permissions.

I then proceed to modify it and save it .

Then as user1, I can actually go edit the paragraphs and run it after my permission has been updated.

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

image-2018-04-09-12-08-39-371.png
09/Apr/18 19:08
81 kB
Ying Chen
image-2018-04-09-12-09-27-992.png
09/Apr/18 19:09
83 kB
Ying Chen
image-2018-04-09-12-09-49-994.png
09/Apr/18 19:09
103 kB
Ying Chen

Activity

People

Assignee:: Unassigned

Reporter:: Ying Chen

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 09/Apr/18 19:11

Updated:: 10/Apr/18 14:32

Resolved:: 10/Apr/18 14:32