Details
-
Bug
-
Resolution: Fixed
-
Major
-
2.12.0
-
PRO
-
0.5
-
Sprint 60 - Föhn, Sprint 61 - Föhn
Description
Problem
If a user is not granted the Staging: Drop Repository privilege, they can still drop a repository upon release of that repository using the /service/local/staging/bulk/promote resource.
Reproduce
Configure a user `sonatype` with UI Basic and a custom staging role:
<userRoleMapping>
<userId>sonatype</userId>
<source>default</source>
<roles>
<role>ui-basic</role>
<role>custom-staging</role>
</roles>
</userRoleMapping>
<role>
<id>custom-staging</id>
<name>custom-staging</name>
<description>Staging without drop privilege</description>
<privileges>
<privilege>55</privilege>
<privilege>46</privilege>
<privilege>14</privilege>
<privilege>staging-admin-read</privilege>
<privilege>staging-start</privilege>
<privilege>staging-admin-stage</privilege>
<privilege>staging-profile-repositories</privilege>
<privilege>staging-rule-types</privilege>
<privilege>staging-ruleset-read</privilege>
<privilege>staging-admin-promote</privilege>
<privilege>1</privilege>
<privilege>repository-all</privilege>
<privilege>staging-profile-read</privilege>
<privilege>staging-promote</privilege>
<privilege>6</privilege>
</privileges>
</role>
The user can login to the UI and view the staging repository list. The Drop button is disabled, implying they do not have the drop permission.
However the Release button is not disabled as expected. The Release confirmation dialog includes a checkmark to Automatically Drop a repository upon release. When selected, the repository is dropped upon release, despite the user not having Staging: Drop Repository privilege.
Expected
The bulk/promote resource should only perform the release if the drop checkbox is not selected ( payload implies do not drop) when the user does not have permission to drop a repository. The UI should display a permission error. Keep in mind the maven staging plugin also uses this resource.