691dde541a
# Backport This will backport the following commits from `main` to `8.18`: - [Disable `allowAbsoluteUrls` for axios (#215138)](https://github.com/elastic/kibana/pull/215138) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Alex Szabo","email":"alex.szabo@elastic.co"},"sourceCommit":{"committedDate":"2025-03-25T08:52:36Z","message":"Disable `allowAbsoluteUrls` for axios (#215138)\n\n## Summary\nAfter https://github.com/elastic/kibana/pull/214843, `axios` client\nusages need to set a flag to prevent the vulnerable behavior.\n\nTo reviewers: if you think it's a mistake, and you created a client to\nrequest for absolute URLs, consider unsetting the `baseURL` to\ncommunicate intent.","sha":"e40b17aa22ec1a2fbc56ae8651e12f658099ec14","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Operations","Team:QA","Team:Security","release_note:skip","backport:all-open","Team:obs-ux-logs","Team:obs-ux-infra_services","v9.1.0"],"title":"Disable `allowAbsoluteUrls` for axios","number":215138,"url":"https://github.com/elastic/kibana/pull/215138","mergeCommit":{"message":"Disable `allowAbsoluteUrls` for axios (#215138)\n\n## Summary\nAfter https://github.com/elastic/kibana/pull/214843, `axios` client\nusages need to set a flag to prevent the vulnerable behavior.\n\nTo reviewers: if you think it's a mistake, and you created a client to\nrequest for absolute URLs, consider unsetting the `baseURL` to\ncommunicate intent.","sha":"e40b17aa22ec1a2fbc56ae8651e12f658099ec14"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/215138","number":215138,"mergeCommit":{"message":"Disable `allowAbsoluteUrls` for axios (#215138)\n\n## Summary\nAfter https://github.com/elastic/kibana/pull/214843, `axios` client\nusages need to set a flag to prevent the vulnerable behavior.\n\nTo reviewers: if you think it's a mistake, and you created a client to\nrequest for absolute URLs, consider unsetting the `baseURL` to\ncommunicate intent.","sha":"e40b17aa22ec1a2fbc56ae8651e12f658099ec14"}}]}] BACKPORT--> --------- Co-authored-by: Alex Szabo <alex.szabo@elastic.co> |
||
|---|---|---|
| .. | ||
| common | ||
| security_and_spaces | ||
| spaces_only | ||
| README.md | ||
UI Capability Tests
These tests give us the most coverage to ensure that spaces and security work independently and cooperatively. They each cover different situations, and are supplemented by functional UI tests to ensure that security and spaces independently are able to disable the UI elements. These tests are using a "foo" plugin to ensure that its UI capabilities are adjusted appropriately. We aren't using actual plugins/apps for these tests, as they are prone to change and that's not the point of these tests. These tests are to ensure that the primary UI capabilities are adjusted appropriately by both the security and spaces plugins.
Security and Spaces
We want to test for all combinations of the following users at the following spaces. The goal of these tests is to ensure that ui capabilities can be disabled by either the privileges at a specific space, or the space disabling the features.
Users
user with no kibana privileges superuser legacy all legacy read dual privileges all dual privileges read global read global all everything_space read everything_space all nothing_space read nothing_space all
Spaces
everything_space - all features enabled nothing_space - no features enabled
Security
The security tests focus on more permutations of user's privileges, and focus primarily on privileges granted globally (at all spaces).
Users
no kibana privileges superuser legacy all dual privileges all dual privileges read global read global all foo read foo all
Spaces
The Space tests focus on the result of disabling certain feature(s).
Spaces
everything enabled nothing enabled foo disabled