elastic · kibanamachine · Oct 4, 2022 · Oct 4, 2022
diff --git a/...lugins/security/server/routes/authorization/spaces/share_saved_object_permissions.test.ts b/...lugins/security/server/routes/authorization/spaces/share_saved_object_permissions.test.ts
@@ -36,6 +36,7 @@ describe('Share Saved Object Permissions', () => {
   describe('GET /internal/security/_share_saved_object_permissions', () => {
     let routeHandler: RequestHandler<any, any, any, SecurityRequestHandlerContext>;
     let routeConfig: RouteConfig<any, any, any, any>;
+
     beforeEach(() => {
       const [shareRouteConfig, shareRouteHandler] = router.get.mock.calls.find(
         ([{ path }]) => path === '/internal/security/_share_saved_object_permissions'
@@ -50,6 +51,24 @@ describe('Share Saved Object Permissions', () => {
       expect(routeConfig.validate).toHaveProperty('query');
     });
 
+    it('returns `not found` when security is diabled', async () => {
+      routeParamsMock.license.isEnabled = jest.fn().mockReturnValue(false);
+
+      const request = httpServerMock.createKibanaRequest({
+        query: {
+          type: 'foo-type',
+        },
+      });
+
+      await expect(
+        routeHandler(mockContext, request, kibanaResponseFactory)
+      ).resolves.toMatchObject({
+        status: 404,
+      });
+
+      expect(routeParamsMock.license.isEnabled).toHaveBeenCalled();
+    });
+
     it('returns `true` when the user is authorized globally', async () => {
       const checkPrivilegesWithRequest = jest.fn().mockResolvedValue({ hasAllRequested: true });
 

diff --git a/x-pack/plugins/security/server/routes/authorization/spaces/share_saved_object_permissions.ts b/x-pack/plugins/security/server/routes/authorization/spaces/share_saved_object_permissions.ts
@@ -11,7 +11,11 @@ import type { RouteDefinitionParams } from '../..';
 import { wrapIntoCustomErrorResponse } from '../../../errors';
 import { createLicensedRouteHandler } from '../../licensed_route_handler';
 
-export function defineShareSavedObjectPermissionRoutes({ router, authz }: RouteDefinitionParams) {
+export function defineShareSavedObjectPermissionRoutes({
+  router,
+  authz,
+  license,
+}: RouteDefinitionParams) {
   router.get(
     {
       path: '/internal/security/_share_saved_object_permissions',
@@ -21,6 +25,10 @@ export function defineShareSavedObjectPermissionRoutes({ router, authz }: RouteD
       let shareToAllSpaces = true;
       const { type } = request.query;
 
+      if (!license.isEnabled()) {
+        return response.notFound();
+      }
+
       try {
         const checkPrivileges = authz.checkPrivilegesWithRequest(request);
         shareToAllSpaces = (