[NEXUS-11238] Repository View - Browse permission grants too much access - Sonatype JIRA

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.1.0
Fix Version/s: 3.3.0
Component/s: Security
Labels:
- security
- supportant

Epic Link:
Privilege Simplification
Sprint:
Formats/Core Team - Sprint 92

Description

The current security model works as follows

Content retrieval:

If user has 'Repository View - read' permission, can read any content in the repo
If user has 'Content Selector - read' permission, can read any matching content in the repo

Content Browsing:

If user has 'Repository View - browse' permission, can browse any content in the repo
If user has 'Content Selector - browse' pemission, can browse any matching content in the repo

In theory this looks fine, but in practice, since you need any single 'Repository View' permission to see the browse component of the UI, as soon as you add that, you auto grant full browse access to the repository (i.e. completely override any content selector perms applied to that repo)

Attachments

Issue Links

is duplicated by

NEXUS-11937 privileges which allow reading repository content also expose all repository names when browsing assets / components

Closed

Activity

People

Assignee:: Joseph Stephens

Reporter:: Damian Bradicich

Last Updated By:: Joe Tom

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 10/20/16 02:31 PM

Updated:: 07/08/20 08:37 PM

Resolved:: 03/29/17 07:41 PM

Date of First Response:: 13/Jan/17 4:57 PM