[NEXUS-11937] privileges which allow reading repository content also expose all repository names when browsing assets / components - Sonatype JIRA

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.1.0, 3.2.0, 3.2.1, 3.3.0
Fix Version/s: 3.3.0
Component/s: Browse Storage
Labels:

Story Points:
3
Epic Link:
Privilege Simplification
Sprint:
Sprint 91

Description

Anonymous user is assigned one role with only the following:
nexus:repository-view:maven2:maven-central:browse
nexus:repository-view:maven2:maven-central:read

There is a difference in behaviour between Nexus 3.0.2 and 3.1.0.

In Nexus 3.0.2 you only see maven-central in Browse Assets/Components.

In Nexus 3.1.0 you see all the repos in Browse Assets/Components. You do not see artifacts under repositories that you do not permissions for, but the issue is that the repository should not displayed

NOTE: This does not allow users to see the repository content, just the repository names.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

Browse 3.0.2.png
61 kB
12/16/16 05:38 PM
Browse 3.1.0.png
105 kB
12/16/16 05:38 PM

Issue Links

duplicates

NEXUS-11238 Repository View - Browse permission grants too much access

Closed

Activity

People

Assignee:

Frederick Milens

Reporter:

Binh Phung

Last Updated By:

Rich Seddon

Votes:

9 Vote for this issue

Watchers:

20 Start watching this issue

Dates

Created:

12/16/16 05:44 PM

Updated:

11/08/17 03:10 PM

Resolved:

03/28/17 12:41 PM

Date of First Response:

16/Dec/16 5:47 PM