rk@tigase.net opened 4 days ago
-
Root Cause (suspected)
Project list query does not apply ExternalUserPolicy filter predicate when the current user is external. System-level role grants broad read access that supersedes per-project membership enforcement.
Fix
In
ProjectService.getProjects()(or equivalent list endpoint):- Detect if current user is external
- If external, scope project list query to projects where the user has an explicit membership record
- Internal users continue to see all projects per existing policy
Related
- SZ-78 — External users must not hold ADMIN/PROJECT_MANAGER roles (enforcement not yet implemented — may be contributing factor)
- ExternalUserPolicy enforcement point audit recommended after fix
-
rksuma@Ramakrishnans-MacBook-Pro sztab % git status On branch release/1.10.0 Your branch is up to date with 'origin/release/1.10.0'. nothing to commit, working tree clean rksuma@Ramakrishnans-MacBook-Pro sztab % git checkout -b fix/SZ-127-external-user-project-visibility Switched to a new branch 'fix/SZ-127-external-user-project-visibility' rksuma@Ramakrishnans-MacBook-Pro sztab % -
Previous Value Current Value Open
In Progress
-
Found the Root cause and the fix:
The ProjectController is injected with externalUserPolicy, securityUtils, and userService but isn't using them for the list endpoint. Fix:
@GetMapping @PreAuthorize("isAuthenticated()") public ResponseEntity<Page<ProjectDto>> getAllProjects( final Pageable pageable, final Authentication authentication) { final User currentUser = securityUtils.getCurrentUser(authentication); final Page<ProjectDto> dtos; if (currentUser.isExternal()) { dtos = projectService.getAllProjectsForExternalUser(currentUser, pageable) .map(projectMapper::toDto); } else { dtos = projectService.getAllProjects(pageable) .map(projectMapper::toDto); } return ResponseEntity.ok(dtos); }Added 3 unit tests to cover this which would have exposed this problem.
-
Previous Value Current Value In Progress
Pending approval
-
-
-
Previous Value Current Value Pending approval
Closed
| Type |
Bug
|
| Priority |
Blocker
|
| Assignee | |
| Version |
1.10.0
|
| Sprints |
n/a
|
| Customer |
n/a
|
Issue Votes (0)
Watchers (3)
Summary
External users can see all projects in the project list regardless of which projects they have been explicitly invited to. An external user invited to one project can see all projects in the system. The ExternalUserPolicy enforcement point is not correctly scoping the project list query to invited projects only.
Steps to Reproduce
Expected Behavior
External users should only see projects they have been explicitly invited to as a member. All other projects — regardless of visibility type — should be invisible to external users.
Actual Behavior
External user sees all projects in the system. System-level DEVELOPER role appears to override per-project ExternalUserPolicy access control, bypassing project membership checks entirely.