Details
-
Type:
Bug
-
Status: Open
-
Priority:
Medium
-
Resolution: Unresolved
-
Affects Version/s: 3.19.0, 3.20.0
-
Fix Version/s: None
-
Component/s: NPM
-
Labels:None
-
Notability:2
Description
A user with basic read access e.g. nx-anonymous can successfully perform an 'npm login', but an 'npm logout' fails with a 403 as a DELETE request is being made to remove the npm token:
npm logout --registry=http://localhost:8081/repository/npm/ -ddd ... npm http request DELETE http://localhost:8081/repository/npm/-/user/token/NpmToken.339faa21-76c9-3474-bbe1-1eec9fac617e npm http 403 http://localhost:8081/repository/npm/-/user/token/NpmToken.339faa21-76c9-3474-bbe1-1eec9fac617e npm verb headers { date: 'Thu, 09 Jan 2020 10:28:58 GMT', npm verb headers server: 'Nexus/3.20.0-04 (PRO)', npm verb headers 'x-content-type-options': 'nosniff', npm verb headers 'content-security-policy': npm verb headers 'sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation', npm verb headers 'x-xss-protection': '1; mode=block', npm verb headers 'content-length': '0' } npm verb stack Error: 403 Forbidden
This is the same issue as reported previously in NEXUS-14459.
It should be expected that for a given user, if they can successfully npm login with a given set of permissions then they should also be able to successfully npm logout.
To work around this create a content selector with this expression:
path =^ "/-/user/token/"
And then a content selector privilege with that content selector and the "delete" action. Assign it to the user via a role.
Attachments
Issue Links
- is related to
-
-
- Closed
-