Enforce new Object ACLs in object logs

Description

The new Object ACLs needs to be enforced in object logs (REST API, UI). If a user has READ access to an object, he/she should also have access to the logs of that objects.

Activity

Show:
sergej.dumler@nethinks.com
December 17, 2020, 11:32 AM

and have tested the following:

  • Edited, Deleted, Newly created objects are filtered according to the ACLS.

  • Filter table:

    • Existing Object Logs -> OK

    • Deleted object logs -> OK

  • Direct URL calls -> OK (shows empty values)

Michael Batz
December 16, 2020, 8:26 AM

That does not really seem to work:

  • Viewing “Object Logs” page from the menu: Logs of restricted objects are filtered correctly

  • Direct access to a specific log of a restricted object via URL is possible:

Done

Assignee

Mark Heumüller

Reporter

Michael Batz

Labels

None

Story Points

3

Tester

None

Sprint

None

Fix versions

Priority

Medium