Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-31796

transitive repo group content privileges are not transparently applied to search results causing possible 403 errors in the UI


    • Sprint:
      NXRM Immortals Sprint 35, NXRM Immortals Sprint 36
    • Notability:



      Create this repo structure:

       ⧈ maven-all (maven2-group)
      │   ├ ⧈ maven-all-prod (maven2-group)
      │   │   ├ ▶ maven-mule-pub (maven2-proxy) ≻ https://repository.mulesoft.org/releases/

      Create a role that includes all actions for repository-view against the group repos:

      └ 📂 P-DG-Maven
          ├ ▪ nx-repository-view-maven2-maven-all-*
          ├ ▪ nx-repository-view-maven2-maven-all-prod-*
          ├ ▪ nx-search-read

      Create a "test" user and assign this user the P-DG-Maven role.

      Confirm these requests return 200:

      curl -v -u test:admin123 http://localhost:8081/repository/maven-all-prod/com/wsl/modules/stripe-connector/1.0.3/stripe-connector-1.0.3.pom -o /dev/null
      curl -v -u test:admin123 http://localhost:8081/repository/maven-all/com/wsl/modules/stripe-connector/1.0.3/stripe-connector-1.0.3.pom -o /dev/null

      Confirm this request returns 403:

      curl -v -u test:admin123 http://localhost:8081/repository/maven-mule-pub/com/wsl/modules/stripe-connector/1.0.3/stripe-connector-1.0.3.pom -o /dev/null

      So far transitive privileges are working as designed in repo 3 - direct content access by way of group repo allows access to content in members. Access direct to non-group member is denied. Note: This is not how Repository 2 worked.


      Open a new private browsing window.
      Login to the UI of Repository 3 as the "test" user.
      Open Search - Maven.
      Problem: A toast popup displays a 403 error even though no query has been made by the end user. The default query is made in the background which would only return the one component we have cached. The search results are empty.

      Variation of Problem:
      Suppose the default search results from the default query contain only results the user has direct access to, there is no 403 error initially and results are shown

      Then when the user starts typing a keyword or artifact id and an automatic search is sent as they type, the 403 can also be triggered if that backend query returns a result they do not have direct read/browse privileges for.


      The toast 403 error causes confusion whether the user does or not have access to something - there are no further details in the UI that explains why that error is shown.

      Improve this experience. The user technically does have read/browse access to some content which the UI shows a 403 error for on search.




            Unassigned Unassigned
            plynch Peter Lynch
            Last Updated By:
            Michael Oliverio Michael Oliverio
            NXRM - IMMORTALS
            2 Vote for this issue
            12 Start watching this issue


              Date of First Response: