wso2 / product-apim

Welcome to the WSO2 API Manager source code! For info on working with the WSO2 API Manager repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
845 stars 785 forks source link

Users can view restricted APIs in API devportal without required role. #6022

Closed binodmx closed 5 years ago

binodmx commented 5 years ago
  1. The first issue is that any user who has any role can login to the devportal.
  2. Users who have internal roles can view restricted apis in devportal without the required role.
chamilaadhi commented 5 years ago

login issue is fixed in https://github.com/wso2/carbon-apimgt/pull/7309. need to fix the second issue

AmaliMatharaarachchi commented 5 years ago

This was not observed in the latest pack. Note that internal/publisher and internal/creator roles can see all apis even when store visibility was enabled and restricted.