You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@archiva.apache.org by "Krisztian Fekete (JIRA)" <ji...@apache.org> on 2015/12/04 13:47:10 UTC
[jira] [Commented] (MRM-1908) Logged on users can write any repository

    [ https://issues.apache.org/jira/browse/MRM-1908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15041528#comment-15041528 ] 

Krisztian Fekete commented on MRM-1908:
---------------------------------------

I wasn't able to get my feketk1 user details through the UI (it is not on the list, probably we have too many LDAP users), so I did query all the permissions through the API:

http://...../restServices/redbackServices/userService/getUser/feketk1

<user>
<email>Krisztian.Fekete2@xxxxxxxx.com</email>
<fullName>Krisztian</fullName>
<locked>false</locked>
<passwordChangeRequired>false</passwordChangeRequired>
<permanent>true</permanent>
<readOnly>false</readOnly>
<timestampLastPasswordChange>Fri, 4 Dec 2015 05:55:08 -0500 - 1 hour ago</timestampLastPasswordChange>
<userManagerId>ldap</userManagerId>
<username>feketk1</username>
<validated>true</validated>
</user>

-------------------------------------
http://...../restServices/redbackServices/userService/getUserPermissions/feketk1

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<permissions>
<permission>
<name>Archiva Add Repository Metadata - test-internal</name>
<operation>
<name>archiva-add-metadata</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-internal</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>Archiva Delete Repository Metadata - test-internal</name>
<operation>
<name>archiva-delete-metadata</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-internal</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>Archiva Merge Repository - test-snapshots</name>
<operation>
<name>archiva-merge-repository</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-snapshots</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>Archiva Edit Repository - test-internal</name>
<operation>
<name>archiva-edit-repository</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-internal</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>Archiva Add Repository Metadata - test-snapshots</name>
<operation>
<name>archiva-add-metadata</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-snapshots</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>Delete Artifact - test-internal</name>
<operation>
<name>archiva-delete-artifact</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-internal</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>Archiva Read Repository - test-snapshots</name>
<operation>
<name>archiva-read-repository</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-snapshots</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>
Archiva Delete Repository Metadata - test-snapshots
</name>
<operation>
<name>archiva-delete-metadata</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-snapshots</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>Archiva View Audit Logs - test-internal</name>
<operation>
<name>archiva-view-audit-logs</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-internal</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>Archiva Read Repository - test-internal</name>
<operation>
<name>archiva-read-repository</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-internal</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>Archiva View Audit Logs - test-snapshots</name>
<operation>
<name>archiva-view-audit-logs</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-snapshots</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>Archiva Merge Repository - test-internal</name>
<operation>
<name>archiva-merge-repository</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-internal</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>Delete Artifact - test-snapshots</name>
<operation>
<name>archiva-delete-artifact</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-snapshots</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>Archiva Edit Repository - test-snapshots</name>
<operation>
<name>archiva-edit-repository</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-snapshots</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>Archiva Upload to Repository - test-internal</name>
<operation>
<name>archiva-upload-repository</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-internal</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>Archiva Upload to Repository - test-snapshots</name>
<operation>
<name>archiva-upload-repository</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-snapshots</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>Archiva Delete Repository - test-snapshots</name>
<operation>
<name>archiva-delete-repository</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-snapshots</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
<permission>
<name>Archiva Delete Repository - test-internal</name>
<operation>
<name>archiva-delete-repository</name>
<permanent>false</permanent>
</operation>
<resource>
<identifier>test-internal</identifier>
<pattern>false</pattern>
<permanent>false</permanent>
</resource>
</permission>
</permissions>

> Logged on users can write any repository
> ----------------------------------------
>
>                 Key: MRM-1908
>                 URL: https://issues.apache.org/jira/browse/MRM-1908
>             Project: Archiva
>          Issue Type: Bug
>          Components: Users/Security
>    Affects Versions: 2.2.0
>            Reporter: Krisztian Fekete
>         Attachments: archiva1.jpg, archiva2.jpg, archiva3.jpg, archiva4.jpg, archiva5.jpg, archiva6.jpg
>
>
> Our sandbox Archiva 2.2.0 instance is connected with our corporate LDAP service. I created a repository with name common-internal. My LDAP user feketk1 doesn't have any permission on the common-internal repository. When I login through the web UI with my feketk1 user, I am able to upload artefacts to the common-internal repository.
> For additional details please check attached screenshots.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)