Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-31796

transitive repo group content privileges are not transparently applied to search results causing possible 403 errors in the UI

    Details

    • Sprint:
      NXRM Immortals Sprint 35, NXRM Immortals Sprint 36
    • Notability:
      3

      Description

       Preface

      Create this repo structure:

       ⧈ maven-all (maven2-group)
      │   ├ ⧈ maven-all-prod (maven2-group)
      │   │   ├ ▶ maven-mule-pub (maven2-proxy) ≻ https://repository.mulesoft.org/releases/
      

      Create a role that includes all actions for repository-view against the group repos:

      └ 📂 P-DG-Maven
          ├ ▪ nx-repository-view-maven2-maven-all-*
          ├ ▪ nx-repository-view-maven2-maven-all-prod-*
          ├ ▪ nx-search-read
      

      Create a "test" user and assign this user the P-DG-Maven role.

      Confirm these requests return 200:

      curl -v -u test:admin123 http://localhost:8081/repository/maven-all-prod/com/wsl/modules/stripe-connector/1.0.3/stripe-connector-1.0.3.pom -o /dev/null
      curl -v -u test:admin123 http://localhost:8081/repository/maven-all/com/wsl/modules/stripe-connector/1.0.3/stripe-connector-1.0.3.pom -o /dev/null
      

      Confirm this request returns 403:

      curl -v -u test:admin123 http://localhost:8081/repository/maven-mule-pub/com/wsl/modules/stripe-connector/1.0.3/stripe-connector-1.0.3.pom -o /dev/null
      

      So far transitive privileges are working as designed in repo 3 - direct content access by way of group repo allows access to content in members. Access direct to non-group member is denied. Note: This is not how Repository 2 worked.

      Problem

      Open a new private browsing window.
      Login to the UI of Repository 3 as the "test" user.
      Open Search - Maven.
      Problem: A toast popup displays a 403 error even though no query has been made by the end user. The default query is made in the background which would only return the one component we have cached. The search results are empty.

      Variation of Problem:
      Suppose the default search results from the default query contain only results the user has direct access to, there is no 403 error initially and results are shown

      Then when the user starts typing a keyword or artifact id and an automatic search is sent as they type, the 403 can also be triggered if that backend query returns a result they do not have direct read/browse privileges for.

      Expected

      The toast 403 error causes confusion whether the user does or not have access to something - there are no further details in the UI that explains why that error is shown.

      Improve this experience. The user technically does have read/browse access to some content which the UI shows a 403 error for on search.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Michael Oliverio Michael Oliverio
            Team:
            NXRM - IMMORTALS
            Votes:
            2 Vote for this issue
            Watchers:
            12 Start watching this issue

              Dates

              Created:
              Updated:
              Date of First Response:

                tigCommentSecurity.panel-title