Add server-side validation for "Share to space" restrictions #130562
Labels
enhancement
New value added to drive a business result
Feature:Security/Sharing Saved Objects
Platform Security - Sharing Saved Objects feature
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Comments
jportner
added
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
legrego
added
the
Feature:Security/Sharing Saved Objects
jeramysoucy
added a commit
that referenced
this issue
Oct 23, 2023
…ce action (#169177) closes #168657 ## Summary Updates the `share to spaces` action to refrain from removing spaces from related objects (objects referenced by the target object). I have also updated the description of issue #130562, which essentially will replace much of the client-side implementation of this action, to explicitly include this behavior. ### Manual Testing - Create 2 spaces: A and B - Add a sample data set (e.g. flight) to space A - In Discover, create a saved query called "s1" (add a filter that uses the sample data logs data view, and use the filter menu button) - Go to `Stack Management->Saved` Objects and share the "s1" query to space B - Verify that the related data view is also shared to space B. - Un-share the "s1" query from space B - Verify that the related data view is still shared to space B. ### Automated Tests - x-pack/plugins/spaces/public/share_saved_objects_to_space/components/share_to_space_flyout_internal.test.tsx --------- Co-authored-by: kibanamachine <[email protected]>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Oct 23, 2023
…ce action (elastic#169177) closes elastic#168657 ## Summary Updates the `share to spaces` action to refrain from removing spaces from related objects (objects referenced by the target object). I have also updated the description of issue elastic#130562, which essentially will replace much of the client-side implementation of this action, to explicitly include this behavior. ### Manual Testing - Create 2 spaces: A and B - Add a sample data set (e.g. flight) to space A - In Discover, create a saved query called "s1" (add a filter that uses the sample data logs data view, and use the filter menu button) - Go to `Stack Management->Saved` Objects and share the "s1" query to space B - Verify that the related data view is also shared to space B. - Un-share the "s1" query from space B - Verify that the related data view is still shared to space B. ### Automated Tests - x-pack/plugins/spaces/public/share_saved_objects_to_space/components/share_to_space_flyout_internal.test.tsx --------- Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit 4af9175)
kibanamachine
added a commit
that referenced
this issue
Oct 23, 2023
… to space action (#169177) (#169566) # Backport This will backport the following commits from `main` to `8.11`: - [Fixes issue with removing spaces from related objects in share to space action (#169177)](#169177) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Jeramy Soucy","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-10-23T18:45:36Z","message":"Fixes issue with removing spaces from related objects in share to space action (#169177)\n\ncloses #168657\r\n\r\n## Summary\r\n\r\nUpdates the `share to spaces` action to refrain from removing spaces\r\nfrom related objects (objects referenced by the target object).\r\n\r\nI have also updated the description of issue #130562, which essentially\r\nwill replace much of the client-side implementation of this action, to\r\nexplicitly include this behavior.\r\n\r\n### Manual Testing\r\n- Create 2 spaces: A and B\r\n- Add a sample data set (e.g. flight) to space A\r\n- In Discover, create a saved query called \"s1\" (add a filter that uses\r\nthe sample data logs data view, and use the filter menu button)\r\n- Go to `Stack Management->Saved` Objects and share the \"s1\" query to\r\nspace B\r\n- Verify that the related data view is also shared to space B.\r\n- Un-share the \"s1\" query from space B\r\n- Verify that the related data view is still shared to space B.\r\n\r\n### Automated Tests\r\n-\r\nx-pack/plugins/spaces/public/share_saved_objects_to_space/components/share_to_space_flyout_internal.test.tsx\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"4af91754e02e1f055d4912b298fd0f7d68740b74","branchLabelMapping":{"^v8.12.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","release_note:skip","backport:prev-minor","v8.11.0","v8.12.0"],"number":169177,"url":"https://github.com/elastic/kibana/pull/169177","mergeCommit":{"message":"Fixes issue with removing spaces from related objects in share to space action (#169177)\n\ncloses #168657\r\n\r\n## Summary\r\n\r\nUpdates the `share to spaces` action to refrain from removing spaces\r\nfrom related objects (objects referenced by the target object).\r\n\r\nI have also updated the description of issue #130562, which essentially\r\nwill replace much of the client-side implementation of this action, to\r\nexplicitly include this behavior.\r\n\r\n### Manual Testing\r\n- Create 2 spaces: A and B\r\n- Add a sample data set (e.g. flight) to space A\r\n- In Discover, create a saved query called \"s1\" (add a filter that uses\r\nthe sample data logs data view, and use the filter menu button)\r\n- Go to `Stack Management->Saved` Objects and share the \"s1\" query to\r\nspace B\r\n- Verify that the related data view is also shared to space B.\r\n- Un-share the \"s1\" query from space B\r\n- Verify that the related data view is still shared to space B.\r\n\r\n### Automated Tests\r\n-\r\nx-pack/plugins/spaces/public/share_saved_objects_to_space/components/share_to_space_flyout_internal.test.tsx\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"4af91754e02e1f055d4912b298fd0f7d68740b74"}},"sourceBranch":"main","suggestedTargetBranches":["8.11"],"targetPullRequestStates":[{"branch":"8.11","label":"v8.11.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.12.0","labelRegex":"^v8.12.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/169177","number":169177,"mergeCommit":{"message":"Fixes issue with removing spaces from related objects in share to space action (#169177)\n\ncloses #168657\r\n\r\n## Summary\r\n\r\nUpdates the `share to spaces` action to refrain from removing spaces\r\nfrom related objects (objects referenced by the target object).\r\n\r\nI have also updated the description of issue #130562, which essentially\r\nwill replace much of the client-side implementation of this action, to\r\nexplicitly include this behavior.\r\n\r\n### Manual Testing\r\n- Create 2 spaces: A and B\r\n- Add a sample data set (e.g. flight) to space A\r\n- In Discover, create a saved query called \"s1\" (add a filter that uses\r\nthe sample data logs data view, and use the filter menu button)\r\n- Go to `Stack Management->Saved` Objects and share the \"s1\" query to\r\nspace B\r\n- Verify that the related data view is also shared to space B.\r\n- Un-share the \"s1\" query from space B\r\n- Verify that the related data view is still shared to space B.\r\n\r\n### Automated Tests\r\n-\r\nx-pack/plugins/spaces/public/share_saved_objects_to_space/components/share_to_space_flyout_internal.test.tsx\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"4af91754e02e1f055d4912b298fd0f7d68740b74"}}]}] BACKPORT--> Co-authored-by: Jeramy Soucy <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Users can share some saved object types to multiple spaces.
When you do this, Kibana actually fetches the entire reference graph (all child relations) for that object and shares all of them.
Before doing this, Kibana validates (A) if there are any conflicting legacy URL aliases in the destination spaces, and (B) if there are any existing objects with matching origins in the destination spaces. If either of these is true, the UI won't allow you to share the saved object, because it could cause "legacy URL alias conflicts".
We currently only do this validation on the client side, but that means that 1. there is a race condition when the user first opens the "Share" flyout (someone else could make a copy of the object before the first user has finished selecting what spaces to share the object to), and 2. any users who call the undocumented API directly could bypass this validation on accident.
We should add validation on the server side in the
updateObjectsSpacesAPI and throw an error in that case.Update:
When un-sharing an object from a space, related objects should NOT be un-shared. See issue #168657 and PR #169177. When implementing server-side validation, we should see additionally seek to implement this behavior more efficiently, ie. without requiring a potential second call to
update objects spaces.The text was updated successfully, but these errors were encountered: