Skip to content

Improve advanced settings management APIs privilege checks#230067

Merged
Dosant merged 8 commits intoelastic:mainfrom
Dosant:advanced-settings-privileges
Aug 8, 2025
Merged

Improve advanced settings management APIs privilege checks#230067
Dosant merged 8 commits intoelastic:mainfrom
Dosant:advanced-settings-privileges

Conversation

@Dosant
Copy link
Contributor

@Dosant Dosant commented Jul 31, 2025
edited
Loading

Summary

This is about an internal, undocumented API for managing advanced settings, but we're marking it as a breaking change just in case.

Release Notes

Roles with explicit read access to advanced settings but all access to SavedObjectManagement can no longer update settings via the internal advanced settings API. This update enforces explicit privileges instead of relying on saved object security checks.
@Dosant Dosant changed the title Advanced settings privileges Aug 4, 2025
@Dosant Dosant marked this pull request as ready for review August 4, 2025 11:46
@Dosant Dosant requested review from a team as code owners August 4, 2025 11:46
@Dosant Dosant added release_note:breaking Team:SharedUX Platform AppEx-SharedUX (formerly Global Experience) t// labels Aug 4, 2025
@elasticmachine
Copy link
Contributor

elasticmachine commented Aug 4, 2025

Pinging @elastic/appex-sharedux (Team:SharedUX)
@Dosant Dosant added the backport:skip This PR does not require backporting label Aug 4, 2025
@Dosant Dosant requested a review from elena-shostak August 4, 2025 11:48
@Dosant Dosant changed the title Improve management of advanced settings APIs privilege checks Aug 4, 2025
tsullivan
tsullivan approved these changes Aug 5, 2025
View reviewed changes
Copy link
Member

@tsullivan tsullivan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
@mattkime
Copy link
Contributor

mattkime commented Aug 6, 2025

codeowner changes look good but I wonder if this results in UI options that are presented but not functional. Whether this PR is merged doesn't depend upon this but we should have an accurate list of needed follow up changes. Will look at this tomorrow.
@Dosant
Copy link
Contributor Author

Dosant commented Aug 6, 2025
edited
Loading

codeowner changes look good but I wonder if this results in UI options that are presented but not functional. Whether this PR is merged doesn't depend upon this but we should have an accurate list of needed follow up changes. Will look at this tomorrow.

@mattkime, I think it's the other way around. Previously, the UI didn't allow to save, but the API was still accessible. Now, both the UI and the API are don't allow to save.
elena-shostak
elena-shostak approved these changes Aug 6, 2025
View reviewed changes
Copy link
Contributor

@elena-shostak elena-shostak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚢
@elasticmachine
Copy link
Contributor

elasticmachine commented Aug 6, 2025

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

✅ unchanged

History
@Dosant Dosant enabled auto-merge (squash) August 6, 2025 16:23
mattkime
mattkime approved these changes Aug 8, 2025
View reviewed changes
Copy link
Contributor

@mattkime mattkime left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code changes look good and work well
@Dosant Dosant merged commit 337e668 into elastic:main Aug 8, 2025
12 checks passed
NicholasPeretti pushed a commit to NicholasPeretti/kibana that referenced this pull request Aug 18, 2025
@Dosant @elena-shostak @NicholasPeretti
Improve advanced settings management APIs privilege checks (elastic#2…
d2bec85 
…30067)

## Summary

This is about an internal, undocumented API for managing advanced
settings, but we're marking it as a breaking change just in case.

### Release Notes

Roles with explicit `read` access to advanced settings but `all` access
to `SavedObjectManagement` can no longer update settings via the
internal advanced settings API. This update enforces explicit privileges
instead of relying on saved object security checks.

---------

Co-authored-by: Elena Shostak <elena.shostak@elastic.co>
qn895 pushed a commit to qn895/kibana that referenced this pull request Aug 26, 2025
@Dosant @elena-shostak @qn895
Improve advanced settings management APIs privilege checks (elastic#2…
b34f1ae 
…30067)

## Summary

This is about an internal, undocumented API for managing advanced
settings, but we're marking it as a breaking change just in case.

### Release Notes

Roles with explicit `read` access to advanced settings but `all` access
to `SavedObjectManagement` can no longer update settings via the
internal advanced settings API. This update enforces explicit privileges
instead of relying on saved object security checks.

---------

Co-authored-by: Elena Shostak <elena.shostak@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport:skip This PR does not require backporting release_note:breaking Team:SharedUX Platform AppEx-SharedUX (formerly Global Experience) t// v9.2.0

7 participants

@Dosant @elasticmachine @mattkime @tsullivan @dokmic @elena-shostak @kibanamachine