All users can see events for deleted streams regardless of permissions #24855
Description
A user with no stream read permissions can still view events whose source stream(s) have been deleted.
Typically a user is only shown events that have source streams that the user has been granted read permissions for, but if a stream is deleted we no longer filter out events with the deleted stream as a source.
This appears to be due to the fact that we filter events by compiling a list of streams the user does NOT have access to, and filtering out any alerts that have those streams as source streams. When a stream is deleted it is no longer available to be included in that forbidden streams list, so we don't filter out any events that have it as their source.https://github.com/Graylog2/graylog2-server/blob/f5f6fb1e795c57e42d71514bab76666b9[…]rc/main/java/org/graylog/events/search/EventsSearchService.java
This has also presented problems for newer event definition types that produce events that don't have an intuitive "source stream" (like asset events), where leaving source streams blank allows all users to see them.
Expected Behavior
Event permissions would follow the principle of Least Privilege used elsewhere throughout the app.
Current Behavior
Possible Solution
Invert event filtering to use a list of source streams the user DOES have access to.
Steps to Reproduce (for bugs)
- Have alerts with a disposable source stream
- Log in as a user that can view events but has no stream read permissions (e.g. only
ReaderandEvent Definition Creatorroles, and no shared streams) - See that no alerts are visible
- Delete the stream from step 1
- See that the alerts are now visible to the user in step 2
Context
Your Environment
- Graylog Version:
- Java Version:
- OpenSearch Version:
- MongoDB Version:
- Operating System:
- Browser version:
Checklist
[] This issue fix need to be backported.
[] Does this issue have security implications?