Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-9634

/service/local/staging/bulk/promote resource does not check drop privilege

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.12.0
    • Fix Version/s: 2.12.1
    • Component/s: Security, Staging
    • Labels:
    • Environment:
      PRO
    • Story Points:
      0.5
    • Sprint:
      Sprint 60 - Föhn, Sprint 61 - Föhn

      Description

      Problem

      If a user is not granted the Staging: Drop Repository privilege, they can still drop a repository upon release of that repository using the /service/local/staging/bulk/promote resource.

      Reproduce

      Configure a user `sonatype` with UI Basic and a custom staging role:

      <userRoleMapping>
            <userId>sonatype</userId>
            <source>default</source>
            <roles>
              <role>ui-basic</role>
              <role>custom-staging</role>
            </roles>
          </userRoleMapping>
      
      
      <role>
            <id>custom-staging</id>
            <name>custom-staging</name>
            <description>Staging without drop privilege</description>
            <privileges>
              <privilege>55</privilege>
              <privilege>46</privilege>
              <privilege>14</privilege>
              <privilege>staging-admin-read</privilege>
              <privilege>staging-start</privilege>
              <privilege>staging-admin-stage</privilege>
              <privilege>staging-profile-repositories</privilege>
              <privilege>staging-rule-types</privilege>
              <privilege>staging-ruleset-read</privilege>
              <privilege>staging-admin-promote</privilege>
              <privilege>1</privilege>
              <privilege>repository-all</privilege>
              <privilege>staging-profile-read</privilege>
              <privilege>staging-promote</privilege>
              <privilege>6</privilege>
            </privileges>
          </role>
      

      The user can login to the UI and view the staging repository list. The Drop button is disabled, implying they do not have the drop permission.

      However the Release button is not disabled as expected. The Release confirmation dialog includes a checkmark to Automatically Drop a repository upon release. When selected, the repository is dropped upon release, despite the user not having Staging: Drop Repository privilege.

      Expected

      The bulk/promote resource should only perform the release if the drop checkbox is not selected ( payload implies do not drop) when the user does not have permission to drop a repository. The UI should display a permission error. Keep in mind the maven staging plugin also uses this resource.

        Attachments

          Activity

            People

            Assignee:
            jtom Joe Tom
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title