Skip to content

[data views] Public API checks capabilities... it shouldn't. #188569

New issue
New issue
Open
#188596
Open
[data views] Public API checks capabilities... it shouldn't.#188569
#188596
Assignees
mattkime
Labels
Feature:Data ViewsData Views code and UI - index patterns before 8.0Feature:Kibana ManagementFeature label for Data Views, Advanced Setting, Saved Object management pagesTeam:DataDiscoveryDiscover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL.impact:mediumAddressing this issue will have a medium level of impact on the quality/strength of our product.loe:smallSmall Level of Effort
@mattkime

Description

@mattkime
mattkime
opened on Jul 17, 2024

From #187540

After discussions with the security team, the public API shouldn't check the capabilities api. Instead, we should rely on the saved objects api to error when a request is made with insufficient privileges.

While removing the code is simple enough, we should verify that behavior is largely unchanged.

Currently, the spaces api impacts REST api calls. This was never the intention for the spaces api. A superuser should be able to modify data views even if 'data views' are disabled in a given space.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

Feature:Data ViewsData Views code and UI - index patterns before 8.0Feature:Kibana ManagementFeature label for Data Views, Advanced Setting, Saved Object management pagesTeam:DataDiscoveryDiscover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL.impact:mediumAddressing this issue will have a medium level of impact on the quality/strength of our product.loe:smallSmall Level of Effort

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions