Tigase Forge
Dashboards
Projects
Global Views
Code Search
sztab
Issues
List
Boards
Iterations
Builds
Statistics
Child Projects
OneDev 11.9.7
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects sztab Issues SZ-136
Developer role can merge PRs — merge should be restricted to Maintainer and Owner (SZ-136)
rk@tigase.net opened 2 hours ago

Summary

Developers can merge pull requests. Per the role permissions matrix, Developer role is scoped to push, create PRs, and manage issues. Merge is not listed as a Developer permission and should be restricted to Maintainer and Owner only.

Steps to Reproduce

  1. Add a user to a project as Developer
  2. Log in as that user
  3. Create a PR and merge it

Expected Behavior

Merge button should not be available to Developer role. Only Maintainer and Owner should be able to merge PRs.

Actual Behavior

Developer (rk) was able to merge a PR successfully.

Affected Components

  • PR merge endpoint authorization
  • PR merge button visibility in frontend
  • rk@tigase.net commented 2 hours ago

    the backend guard exists but references the wrong role concept and the frontend shows the button regardless.

issue 1 of 1
Type
Bug
Priority
Normal
Assignee
rk@tigase.net
Version
1.10.0
Sprints
n/a
Customer
n/a
Issue Votes (0)
Login to vote
Watchers (3)
Reference
SZ-136
Please wait...
Page is in error, reload to recover