Tigase Forge
Dashboards
Projects
Global Views
Code Search
sztab
Issues
List
Boards
Iterations
Builds
Statistics
Child Projects
OneDev 11.9.7
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects sztab Issues SZ-137
Branch operations ungoverned — all project roles including Guest can create and delete any branch (SZ-137)
rk@tigase.net opened 4 days ago

Summary

Branch create and delete operations are ungoverned — all project roles including Reviewer, Reporter, and Guest can create branches and delete any non-default branch regardless of who created it.

Steps to Reproduce

  1. Add a user to a project as Guest
  2. Log in as that user
  3. Navigate to Branches — New Branch button is available
  4. Create a branch successfully
  5. Delete a branch created by another user successfully

Expected Behavior

  • Branch creation: Developer and above only
  • Branch deletion: Developer and above, or creator only
  • Default branch: protected (working correctly)

Actual Behavior

  • Reviewer (umark) created branch bugfix/sso-logout-bug
  • Reporter (andrzej) created branch throttle/saml2-release
  • Guest (artur) created branch feature/support-openss
  • Guest (artur) deleted branches created by other users
  • Only default branch (main) is protected from deletion

Severity

High — Guest users can delete any non-default branch including feature branches actively in use by other developers

Time Estimate

3-4 hours (backend @PreAuthorize on branch create/delete endpoints plus frontend button gating)

Affected Components

  • Branch create endpoint authorization
  • Branch delete endpoint authorization
  • Branch list UI (New Branch button, delete icon visibility)
  • rk@tigase.net changed title 4 days ago
    Previous Value Current Value 
    Reviewer role can create branches — should be restricted to Developer and above
    		 
    Branch creation ungoverned — Reviewer and Reporter can create branches, should be restricted to Developer and above
  • rk@tigase.net commented 4 days ago

    Branch creation ungoverned — all project roles including Reviewer, Reporter and Guest can create branches

  • rk@tigase.net changed title 4 days ago
    Previous Value Current Value 
    Branch creation ungoverned — Reviewer and Reporter can create branches, should be restricted to Developer and above
    		 
    Branch operations ungoverned — all project roles including Guest can create and delete any branch
  • rk@tigase.net changed fields 4 days ago
    Name Previous Value Current Value 
    Priority
    		 
    Normal
    		 
    Major
  • rk@tigase.net commented 3 days ago

    Resolved into tag v1.10.0

  • rk@tigase.net changed state to 'In Progress' 3 days ago
    Previous Value Current Value 
    Open
    		 
    In Progress
  • rk@tigase.net changed state to 'Closed' 3 days ago
    Previous Value Current Value 
    In Progress
    		 
    Closed
  • rk@tigase.net referenced from other issue 3 days ago
    Release Engineering: Sztab 1.10.0 (SZ-124)
    Closed
issue 1 of 1
Type
Bug
Priority
Major
Assignee
rk@tigase.net
Version
1.10.0
Sprints
n/a
Customer
n/a
Issue Votes (0)
Login to vote
Watchers (3)
Reference
SZ-137
Please wait...
Page is in error, reload to recover