[NEXUS-12452] bower install fails when user has only group level privileges - Sonatype JIRA

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.2.1
Fix Version/s: 3.8.0
Component/s: Bower, Security
Labels:
- supportant

Story Points:
1

Description

If a user has read privileges to a bower group, but not the underlying bower proxy, then the "bower install <package>" will fail for any package that is not locally cached.

Steps to reproduce:

Setup a bower group bower-group that has a bower proxy bower-proxy as a member
Setup a user (boweruser) that only has view access to bower-group (i.e. nx-repository-view-bower-bower-group-*)
Try to install a bower package that is not locally cached in proxy bower-proxy

Configure .bowerrc to use the boweruser user:

{
    "registry" :  "http://localhost:8081/repository/bower-group" ,
    "resolvers"  : [  "bower-nexus3-resolver" ],
    "nexus" : {
      "username" : "boweruser",
      "password" : "boweruser"
    }
}

The bower install command will fail like the following:

% bower install mongoose
bower mongoose#*            not-cached nexus+http://localhost:8081/repository/bower-group/mongoose#*
bower mongoose#*               resolve nexus+http://localhost:8081/repository/bower-group/mongoose#*
bower mongoose#*                 error http://boweruser:boweruser@localhost:8081/repository/bower-group/mongoose/versions.json (HTTP 403)

Stack trace:
Error: http://boweruser:boweruser@localhost:8081/repository/bower-group/mongoose/versions.json (HTTP 403)
    at Request._callback (/usr/local/lib/node_modules/bower-nexus3-resolver/src/index.js:214:20)
    at Request.self.callback (/usr/local/lib/node_modules/bower-nexus3-resolver/node_modules/request/request.js:198:22)
    at emitTwo (events.js:106:13)
    at Request.emit (events.js:192:7)
    at Request.<anonymous> (/usr/local/lib/node_modules/bower-nexus3-resolver/node_modules/request/request.js:1035:10)
    at emitOne (events.js:101:20)
    at Request.emit (events.js:189:7)
    at IncomingMessage.<anonymous> (/usr/local/lib/node_modules/bower-nexus3-resolver/node_modules/request/request.js:962:12)
    at emitNone (events.js:91:20)
    at IncomingMessage.emit (events.js:186:7)

Console trace:
Error
    at StandardRenderer.error (/usr/local/lib/node_modules/bower/lib/renderers/StandardRenderer.js:81:37)
    at Logger.<anonymous> (/usr/local/lib/node_modules/bower/lib/bin/bower.js:110:26)
    at emitOne (events.js:96:13)
    at Logger.emit (events.js:189:7)
    at Logger.emit (/usr/local/lib/node_modules/bower/lib/node_modules/bower-logger/lib/Logger.js:29:39)
    at /usr/local/lib/node_modules/bower/lib/commands/index.js:48:20
    at _rejected (/usr/local/lib/node_modules/bower/lib/node_modules/q/q.js:844:24)
    at /usr/local/lib/node_modules/bower/lib/node_modules/q/q.js:870:30
    at Promise.when (/usr/local/lib/node_modules/bower/lib/node_modules/q/q.js:1122:31)
    at Promise.promise.promiseDispatch (/usr/local/lib/node_modules/bower/lib/node_modules/q/q.js:788:41)
System info:
Bower version: 1.8.0
Node version: 7.6.0
OS: Darwin 16.4.0 x64

Attachments

Issue Links

discovered while testing

NEXUS-11965 npm install fails with 500 error when user has Group level privileges

Closed

Activity

People

Assignee:: Joe Tom

Reporter:: Brad Beck

Last Updated By:: Peter Lynch

Team:: Nexus - Formats

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 02/22/17 09:50 PM

Updated:: 01/30/18 05:44 PM

Resolved:: 01/05/18 09:54 PM

Date of First Response:: 24/Feb/17 6:12 PM