Tigase Forge
Dashboards
Projects
Global Views
Code Search
sztab
Issues
List
Boards
Iterations
Builds
Statistics
Child Projects
OneDev 11.9.7
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects sztab Issues SZ-133
PRIVATE projects visible to all INTERNAL users regardless of membership (SZ-133)
rk@tigase.net opened 19 hours ago

Summary

PRIVATE projects are visible to all INTERNAL users regardless of membership, violating PRIVATE visibility semantics.

Steps to Reproduce

  1. Create a PRIVATE project (e.g. Demo-Tigase-Helm-Charts, id=1)
  2. Add no members to the project
  3. Log in as any INTERNAL user who is not the project owner (e.g. rk)
  4. Navigate to the project list

Expected Behavior

PRIVATE project should not appear in the project list for INTERNAL users who are not members or the owner. Direct URL access should also be denied.

Actual Behavior

PRIVATE project (Demo-Tigase-Helm-Charts) appears in the project list for rk (INTERNAL), who has no membership and is not the owner (owner: artur).

Evidence

  • projects.id=1, visibility=PRIVATE, owner_id=artur
  • project_members for project_id=1 returns 0 rows
  • rk is visible in project list when logged in as rk

Root Cause (suspected)

ExternalUserPolicy correctly filters external users (SZ-127 fix) but the same membership filter is not applied to INTERNAL users for PRIVATE projects. INTERNAL users appear to see all projects regardless of visibility level.

Affected Components

  • ExternalUserPolicy or equivalent authorization filter
  • Project list query / repository method (findProjectsByMember or equivalent)

Severity

High severity because PRIVATE project confidentiality is broken for all INTERNAL users

  • rk@tigase.net commented 19 hours ago

    The SZ-127 fix already solved this for external users — the membership filter exists, it just needs to be applied to INTERNAL users for PRIVATE projects. It's a targeted query/policy change, not a new feature.

  • rk@tigase.net commented 19 hours ago

    umark (INTERNAL, non-member) can see test-private-local and Demo-Tigase-Helm-Charts — both PRIVATE projects. Confirms the blast radius of this defect.

  • rk@tigase.net commented 6 hours ago

    Amending release/1.10.0 directly

  • rk@tigase.net changed state to 'In Progress' 6 hours ago
    Previous Value Current Value 
    Open
    		 
    In Progress
  • rk@tigase.net commented 4 hours ago

    Fix merged into wolsonsc

  • rk@tigase.net changed state to 'Closed' 4 hours ago
    Previous Value Current Value 
    In Progress
    		 
    Closed
issue 1 of 1
Type
Bug
Priority
Major
Assignee
rk@tigase.net
Version
1.10.0
Sprints
n/a
Customer
n/a
Issue Votes (0)
Login to vote
Watchers (3)
Reference
SZ-133
Please wait...
Page is in error, reload to recover