Display secure parameters when role has proper perms (#7688)

* fix conditional for secure parameters * add change * handle v5 functionality
apache · Aug 9, 2023 · 16cffe1 · 16cffe1
1 parent 849d166
commit 16cffe1
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -145,6 +145,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - [#7628](https://github.com/apache/trafficcontrol/pull/7628) *Traffic Ops* Fixes an issue where certificate chain validation failed based on leading or trailing whitespace.
 - [#7596](https://github.com/apache/trafficcontrol/pull/7596) *Traffic Ops* Fixes `federation_resolvers` v5 apis to respond with `RFC3339` date/time Format.
 - [#7660](https://github.com/apache/trafficcontrol/pull/7660) *Traffic Ops* Fixes `deliveryServices` v5 apis to respond with `RFC3339` date/time Format.
+- [#7686](https://github.com/apache/trafficcontrol/pull/7686) *Traffic Ops* Fixes secured parameters being visible when role has proper permissions.
 - [#7697](https://github.com/apache/trafficcontrol/pull/7697) *Traffic Ops* Fixes `iloPassword` and `xmppPassword` checking for priv-level instead of using permissions.
 
 ### Removed

diff --git a/traffic_ops/traffic_ops_golang/parameter/parameters.go b/traffic_ops/traffic_ops_golang/parameter/parameters.go
@@ -176,10 +176,18 @@ func (param *TOParameter) Read(h http.Header, useIMS bool) ([]interface{}, error
 			return nil, nil, errors.New("scanning " + param.GetType() + ": " + err.Error()), http.StatusInternalServerError, nil
 		}
 		if p.Secure != nil && *p.Secure {
-			if param.ReqInfo.Version.Major >= 4 &&
-				param.ReqInfo.Config.RoleBasedPermissions &&
-				!param.ReqInfo.User.Can("PARAMETER-SECURE:READ") {
-				p.Value = &HiddenField
+			if param.ReqInfo.Version.Major >= 5 {
+				if !param.ReqInfo.User.Can("PARAMETER-SECURE:READ") {
+					p.Value = &HiddenField
+				}
+			} else if param.ReqInfo.Version.Major == 4 {
+				if param.ReqInfo.Config.RoleBasedPermissions {
+					if !param.ReqInfo.User.Can("PARAMETER-SECURE:READ") {
+						p.Value = &HiddenField
+					}
+				} else if param.ReqInfo.User.PrivLevel < auth.PrivLevelAdmin {
+					p.Value = &HiddenField
+				}
 			} else if param.ReqInfo.User.PrivLevel < auth.PrivLevelAdmin {
 				p.Value = &HiddenField
 			}