diff --git a/vault/logical_system.go b/vault/logical_system.go index 21baf7423bf1..f7eebc568d8b 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -2899,6 +2899,14 @@ func (b *SystemBackend) pathInternalUIMountsRead(ctx context.Context, req *logic b.Core.mountsLock.RLock() for _, entry := range b.Core.mounts.Entries { + filtered, err := b.Core.checkReplicatedFiltering(ctx, entry, "") + if err != nil { + return nil, err + } + if filtered { + continue + } + if ns.ID == entry.NamespaceID && hasAccess(ctx, entry) { if isAuthed { // If this is an authed request return all the mount info @@ -2916,6 +2924,14 @@ func (b *SystemBackend) pathInternalUIMountsRead(ctx context.Context, req *logic b.Core.authLock.RLock() for _, entry := range b.Core.auth.Entries { + filtered, err := b.Core.checkReplicatedFiltering(ctx, entry, credentialRoutePrefix) + if err != nil { + return nil, err + } + if filtered { + continue + } + if ns.ID == entry.NamespaceID && hasAccess(ctx, entry) { if isAuthed { // If this is an authed request return all the mount info @@ -2955,6 +2971,14 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica return errResp, logical.ErrPermissionDenied } + filtered, err := b.Core.checkReplicatedFiltering(ctx, me, "") + if err != nil { + return nil, err + } + if filtered { + return errResp, logical.ErrPermissionDenied + } + resp := &logical.Response{ Data: mountInfo(me), }