Data (workspace) security does not apply to layer groups

Description

As far as I understand, a rule that looks like

1 <workspace>.*.r

that's given a role of ROLE_AUTHENTICATED, means that when you're logged out, you should see nothing from this workspace.

As of 2.9 and 2.10, this is no longer happening.

To reproduce:

  1. With a default GeoServer, change the spearfish layer group to be in the sf workspace.

  2. Add a new Data Security rule of sf.*.r and give it a role of ROLE_AUTHENTICATED.

  3. Log out.

  4. Go to Layer Preview.

  5. You will see no other layers from the sf workspace, but you will still see sf:spearfish.

Environment

Windows / Ubuntu

Status

Assignee

Andrea Aime

Reporter

Mike Pumphrey

Triage

None

Fix versions

Affects versions

2.10.0

Priority

Medium
Configure