Allow users with any permission type to perform passive declarations (backport #16272)#16274
Merged
Conversation
In `4.3.0` and `4.2.6`, the standard `configure` permission was enforced for passive queue and exchange declarations, matching the "regular" declaration case. However, this can be a breaking change for some applications that do not have the `configure` permission on target resources. With this change, any permission (e.g. `read`) on the target resource will be considered sufficient as passive declaration is completely non-destructive by definition. Note that this permission check prevents arbitrary resource enumeration via passive declares. The change applies to both `queue.declare` and `exchange.declare`. References #16085. Conflicts: deps/rabbit/Makefile (cherry picked from commit 54c97bf) # Conflicts: # deps/rabbit/Makefile
The old code used lists:any/2 over the [read, write, configure] list, and for each element, it called lists:member/2 which scanned the entire cache. This resulted in up to 3 full scans of the cache. The new code uses a single lists:any/2 pass over the cache, which is more efficient. (cherry picked from commit 55b851e)
Author
|
Cherry-pick of 54c97bf has failed: To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally |
3a83196 to
229b071
Compare
michaelklishin
added a commit
that referenced
this pull request
Apr 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In
4.3.0and4.2.6, the standardconfigurepermission was enforced for passive queue and exchange declarations, matching the "regular" declaration case.However, this can be a breaking change for some applications that do not have the
configurepermission on target resources.With this change, any permission (e.g.
read) on the target resource will be considered sufficient as passive declaration is completely non-destructive by definition.Note that this permission check prevents arbitrary resource enumeration via passive declares.
The change applies to both
queue.declareandexchange.declare.References #16085.
This is an automatic backport of pull request #16272 done by [Mergify](https://mergify.com).