Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-30744

saving a repository-content-selector privilege with a bad content selector reference is allowed

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.37.0
    • Fix Version/s: None
    • Component/s: Security, UI
    • Labels:
    • Notability:
      n/a

      Description

      One can create a repository content selector privilege referencing a content selector id that does not exist.

      Example bash script that can do this:

      creds="admin:admin123"
      serverhost="localhost"
      repo3_url="http://$serverhost:8081"
      
      function r3_create_priv(){
      priv_name="$1"
      priv_type="$2"
      priv_props="$3"
      payload='{"action":"coreui_Privilege","method":"create","data":[{"id":"NX.coreui.model.Privilege-1","name":"'$priv_name'","description":"'$priv_name' desc","version":"","type":"'$priv_type'","properties":{'$priv_props'}}],"type":"rpc","tid":41}'
      curl -v -u "$creds" "${repo3_url}/service/extdirect" -v -H "Content-Type: application/json" --data-raw "$payload"
      }
      
      function r3_create_repo_content_selector_priv(){
      priv_name="${1:-"test-repo-content-selector-priv"}"
      # contentSelector: existing content selector id
      # repository: repository id or *-format for all repos of a given format or * for all repos
      # actions: comma delim list of actions
      priv_csel="${2:-"test-csel"}"
      priv_repo="${3:-"*"}"
      priv_actions="${4:-"browse,read,edit,add,delete"}"
      priv_props='"contentSelector":"'$priv_csel'","repository":"'$priv_repo'","actions":"'$priv_actions'"'
      r3_create_priv "$priv_name" 'repository-content-selector' "$priv_props"
      }
      
      r3_create_repo_content_selector_priv
      
      

      This works even though "test-csel" does not exist.

      Now open the screen to edit this privilege in the UI. The "Save" button is enabled and can be clicked to again save the privilege with a null content selector.

      Expected

      1. prevent content selector privileges from being created in the first place with bad references
      2. If a priv already does have a reference to a CSEL that no longer exists, the UI should not allow saving the privilege again with a null value.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Michael Oliverio Michael Oliverio
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                tigCommentSecurity.panel-title