Open
Description
openedon Jul 17, 2024
From #187540
After discussions with the security team, the public API shouldn't check the capabilities api. Instead, we should rely on the saved objects api to error when a request is made with insufficient privileges.
While removing the code is simple enough, we should verify that behavior is largely unchanged.
Currently, the spaces api impacts REST api calls. This was never the intention for the spaces api. A superuser should be able to modify data views even if 'data views' are disabled in a given space.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Metadata
Assignees
Labels
Data Views code and UI - index patterns before 8.0Feature label for Data Views, Advanced Setting, Saved Object management pagesDiscover App Team (Document Explorer, Saved Search, Surrounding documents, Data, DataViews)Addressing this issue will have a medium level of impact on the quality/strength of our product.Small Level of Effort