The current security model works as follows
Content retrieval:
- If user has 'Repository View - read' permission, can read any content in the repo
- If user has 'Content Selector - read' permission, can read any matching content in the repo
Content Browsing:
- If user has 'Repository View - browse' permission, can browse any content in the repo
- If user has 'Content Selector - browse' pemission, can browse any matching content in the repo
In theory this looks fine, but in practice, since you need any single 'Repository View' permission to see the browse component of the UI, as soon as you add that, you auto grant full browse access to the repository (i.e. completely override any content selector perms applied to that repo)
- is duplicated by
-
NEXUS-11937 privileges which allow reading repository content also expose all repository names when browsing assets / components
-
- Closed
-