rk@tigase.net opened 21 hours ago
-
Previous Value Current Value Open
In Progress
-
Root cause is the additional (and erroneous) check in "/validate-git-request" end point in GitAuthController: for access to internal projects, the role assigned to the user when the user was admitted into the project was being checked - that check is necessary for private projects alone. Amended code:
// 6. Write operations require authentication and at least DEVELOPER if (isWriteOperation) { if (userId == null) { log.debug("Unauthenticated write attempt on project: {}", projectName); return ResponseEntity.status(401) .header("WWW-Authenticate", "Basic realm=\"Sztab Git Service\"") .build(); } // INTERNAL projects: all internal users can push without explicit membership if (project.getVisibility() == ProjectVisibility.INTERNAL) { final boolean isInternalUser = userRepository.findById(userId) .map(u -> u.getUserType() == UserType.INTERNAL) .orElse(false); if (isInternalUser) { log.debug("Internal user write access granted on INTERNAL project: userId={} project={}", userId, projectName); return ResponseEntity.ok().build(); } } // If it's a private project,explicitly check if the user was granted // DEVELOPER role when she was admitted into the project... if (!authorizationService.hasRole(project.getId(), userId, ProjectRole.DEVELOPER)) { log.warn("Insufficient role for write on project {}: userId={}", projectName, userId); return ResponseEntity.status(403).build(); } log.debug("Write access granted: userId={} project={}", userId, projectName); return ResponseEntity.ok().build(); } -
rksuma@Ramakrishnans-MacBook-Pro sztab % git add backend/src/main/java/com/sztab/controller/security/git/GitAuthController.java \ backend/src/test/java/com/sztab/controller/security/git/GitAuthControllerTest.java git commit -m "SZ-150: Allow internal users to push to INTERNAL projects without explicit membership" git push origin wolnosc [wolnosc ccfea68] SZ-150: Allow internal users to push to INTERNAL projects without explicit membership 2 files changed, 73 insertions(+), 7 deletions(-) Enumerating objects: 35, done. Counting objects: 100% (35/35), done. Delta compression using up to 12 threads Compressing objects: 100% (15/15), done. Writing objects: 100% (20/20), 3.12 KiB | 3.12 MiB/s, done. Total 20 (delta 6), reused 0 (delta 0), pack-reused 0 (from 0) To https://tigase.dev/sztab.git 7e5a609..ccfea68 wolnosc -> wolnosc rksuma@Ramakrishnans-MacBook-Pro sztab % -
Previous Value Current Value In Progress
Closed
| Type |
Bug
|
| Priority |
Major
|
| Assignee | |
| Version |
1.10.1
|
| Sprints |
n/a
|
| Customer |
n/a
|
Issue Votes (0)
Watchers (2)
Problem INTERNAL projects require explicit project membership for git operations (clone/push/pull), even though all internal users can see the project in the UI. This is counterintuitive — visibility and access are inconsistent.
Expected behavior PUBLIC project => all users can clone, internal users can push INTERNAL project => all internal users can clone and push without explicit membership PRIVATE project => only explicit members can access
Fundamental UX contract violation, will confuse users.