archon gum created ZEPPELIN-4458:
------------------------------------
Summary: All users can change any notebooks' Note Permissions
Key: ZEPPELIN-4458
URL: https://issues.apache.org/jira/browse/ZEPPELIN-4458
Project: Zeppelin
Issue Type: Bug
Components: NotebookRepo
Affects Versions: 0.8.2
Reporter: archon gum
Here is my `shiro.ini`:
{code:ini}
[users]
admin = 123123, ADMIN
dev = 123123, DEV
viewer = 123123, VIEWER
[main]
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = JSESSIONID
cookie.httpOnly = true
sessionManager.sessionIdCookie = $cookie
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[roles]
ADMIN = *
DEV = *
VIEWER = *
[urls]
/api/version = anon
/api/interpreter/setting/restart/** = authc
/api/interpreter/** = authc, roles[ADMIN]
/api/configurations/** = authc, roles[ADMIN]
/api/credential/** = authc, roles[ADMIN]
/** = authc
{code}
I use admin to create a notebook and set `owner` to admin user and `reader` to
viewer user. Then use viewer to read that notebook, permissions work except
`Note Permissions` which viewer can change the `Note Permissions`...
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
