Github user mcgilman commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2703#discussion_r190938627
--- Diff:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/controller/ControllerFacade.java
---
@@ -1359,7 +1363,12 @@ public ProvenanceEventDTO getProvenanceEvent(final
Long eventId) {
} else {
dataAuthorizable =
flowController.createLocalDataAuthorizable(event.getComponentId());
}
- dataAuthorizable.authorize(authorizer, RequestAction.READ,
NiFiUserUtils.getNiFiUser(), attributes);
+ // If not authorized for 'view the data', create only
summarized provenance event
--- End diff --
I believe the event summaries are what's necessary to populate the table.
However, even if the user does not have 'view the data' they can still open the
event dialog. Shouldn't we be returning more than a summary? The event should
include everything but the attributes and content fields. Piggybacking on the
summarization concept could inadvertently change this if we ever change what
comprises a summary (if we change the table for instance).
---
