From 2a5af16f51432e0d8b9fe845a5082de3266604c5 Mon Sep 17 00:00:00 2001
From: "Eyo O. Eyo" <7893459+eokoneyo@users.noreply.github.com>
Date: Mon, 13 Jan 2025 14:51:15 +0100
Subject: [PATCH] [Authz] migration for sharedUX routes without access tags
 (#206308)

## Summary

Relates to https://github.com/elastic/kibana-team/issues/1236, this PR
tackles routes could not have been migrated automatically by the
security team. Following the guidance provided in the aforementioned
issue leveraging util provided by the security team have been employed
to explain why the routes modified in this PR aren't requiring an
specific kind of privilege.


<!--

### Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

### Identify risks

Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.

Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.

- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...



-->

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
---
 .../favorites_server/src/favorites_routes.ts  | 27 ++++++++++++++-----
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/src/platform/packages/shared/content-management/favorites/favorites_server/src/favorites_routes.ts b/src/platform/packages/shared/content-management/favorites/favorites_server/src/favorites_routes.ts
index 512b2cbe1260e..38fed392c9372 100644
--- a/src/platform/packages/shared/content-management/favorites/favorites_server/src/favorites_routes.ts
+++ b/src/platform/packages/shared/content-management/favorites/favorites_server/src/favorites_routes.ts
@@ -90,8 +90,13 @@ export function registerFavoritesRoutes({
           )
         ),
       },
-      // we don't protect the route with any access tags as
-      // we only give access to the current user's favorites ids
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            "we don't protect the route with any access tags as we only give access to the current user's favorites ids",
+        },
+      },
     },
     async (requestHandlerContext, request, response) => {
       const coreRequestHandlerContext = await requestHandlerContext.core;
@@ -148,8 +153,13 @@ export function registerFavoritesRoutes({
           type: typeSchema,
         }),
       },
-      // we don't protect the route with any access tags as
-      // we only give access to the current user's favorites ids
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            "we don't protect the route with any access tags as we only give access to the current user's favorites ids",
+        },
+      },
     },
     async (requestHandlerContext, request, response) => {
       const coreRequestHandlerContext = await requestHandlerContext.core;
@@ -187,8 +197,13 @@ export function registerFavoritesRoutes({
           type: typeSchema,
         }),
       },
-      // we don't protect the route with any access tags as
-      // we only give access to the current user's favorites ids
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            "we don't protect the route with any access tags as we only give access to the current user's favorites ids",
+        },
+      },
     },
     async (requestHandlerContext, request, response) => {
       const coreRequestHandlerContext = await requestHandlerContext.core;