[NEXUS-11937] privileges which allow reading repository content also expose all repository names when browsing assets / components - Sonatype JIRA

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.1.0, 3.2.0, 3.2.1, 3.3.0
Fix Version/s: 3.3.0
Component/s: Browse Storage
Labels:
- security
- supportant

Story Points:
3
Epic Link:
Privilege Simplification
Sprint:
Sprint 91

Description

Anonymous user is assigned one role with only the following:
nexus:repository-view:maven2:maven-central:browse
nexus:repository-view:maven2:maven-central:read

There is a difference in behaviour between Nexus 3.0.2 and 3.1.0.

In Nexus 3.0.2 you only see maven-central in Browse Assets/Components.

In Nexus 3.1.0 you see all the repos in Browse Assets/Components. You do not see artifacts under repositories that you do not permissions for, but the issue is that the repository should not displayed

NOTE: This does not allow users to see the repository content, just the repository names.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

Browse 3.0.2.png
61 kB
12/16/16 05:38 PM
Browse 3.1.0.png
105 kB
12/16/16 05:38 PM

Issue Links

duplicates

NEXUS-11238 Repository View - Browse permission grants too much access

Closed

Activity

People

Assignee:: Frederick Milens

Reporter:: Binh Phung

Last Updated By:: Joe Tom

Votes:: 9 Vote for this issue

Watchers:: 20 Start watching this issue

Dates

Created:: 12/16/16 05:44 PM

Updated:: 07/08/20 08:36 PM

Resolved:: 03/28/17 12:41 PM

Date of First Response:: 16/Dec/16 5:47 PM

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

tigCommentSecurity.panel-title