Deleting a component with the component ID returns 404 with Content Selector, otherwise 403, if no "browse" privilege.
- Create raw-hosted repository
- Upload some test file:
- Create testuser with test role which has the nx-repository-view---add|read|edit|delete (no browse)
- Search above component to find the component ID
- Delete this component with the testuser, and get 403:
- Add nx-repository-view---browse into the test role, and run above curl again.
As this test user is not browsing/reading but just deleting, the first "curl -X DELETE" should work.
The first "curl -X DELETE" returns 403 (forbidden) and 2nd one returns 204, and the component was deleted.
The org.sonatype.nexus.repository.browse.internal.BrowseServiceImpl#getById method generates the SQL statement which uses ContentAuth OSQLFunction, and inside of this function, org.sonatype.nexus.repository.selector.internal.OrientContentAuthHelper#checkPathPermissions is used, and this function checks "BROWSE".
NOTE: If my observation is right, when "docker" repository is used, setting a correct Content Selector might be difficult, because in above function, it is probably checking the image name (not the path).
So, when the CSEL contains the expression "path =^ '/v2/deletetest/" and when the "deletetest/alpine:3.7" image is going to be deleted, it seems Nexus is checking if "deletetest/alpine" starts with "/v2/deletetest".