Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POLICY_VIOLATION_ANALYSIS gives HTTP 403 #126

Closed
msymons opened this issue Mar 3, 2022 · 2 comments
Closed

POLICY_VIOLATION_ANALYSIS gives HTTP 403 #126

msymons opened this issue Mar 3, 2022 · 2 comments
Labels
enhancement New feature or request p2 Non-critical bugs, and features that help organizations to identify and reduce risk pending release
Milestone
4.5

Comments

@msymons
Copy link
Member

msymons commented Mar 3, 2022
edited
Loading

Current Behavior:

A user with the permission POLICY_VIOLATION_ANALYSIS will receive HTTP 403 errors when attempting to use the "Policy Violations" tab unless they also have the permission VULNERABILITY_ANALYSIS.

Steps to Reproduce:

  • Create a Managed User X with Permissions: VIEW_PORTFOLIO (so that they can navigate projects) and POLICY_VIOLATION_ANALYSIS
  • Ensure that you have a Project Y with one or more policy violations.
  • Login as User X and navigate to Project Y.
  • The "Policy Violations" tab is displayed (so far so good).
  • Whilst the tab itself displays the list of violations, attempting to expand any individual violation will give an HTTP 403 error... but will display the details.
  • Attempting to add a comment (or other action) results in more errors.
  • Switch back to Admin user and add permission VULNERABILITY_ANALYSIS to User X.
  • Login as User X a second time... it is now possible to perform policy violation analysis.

Expected Behavior:

Performing analysis of policy violations should require POLICY_VIOLATION_ANALYSIS permission alone and not be linked to VULNERABILITY_ANALYSIS permission (which is intended to accomplish something totally different).

Environment:

  • Dependency-Track Version: 4.4.1
  • Client Browser: Firefox
  • Client O/S: Windows 10.
@stevespringett stevespringett added enhancement New feature or request help wanted Extra attention is needed p2 Non-critical bugs, and features that help organizations to identify and reduce risk and removed in triage labels Mar 3, 2022
@nscuro nscuro mentioned this issue Mar 3, 2022
Closed
@stevespringett
Copy link
Member

Thanks @nscuro

@nscuro nscuro mentioned this issue Mar 4, 2022
Merged
@nscuro nscuro added pending release and removed help wanted Extra attention is needed labels May 13, 2022
@nscuro nscuro added this to the 4.5 milestone May 13, 2022
@nscuro
Copy link
Member

nscuro commented May 13, 2022

Fixed in DependencyTrack/dependency-track#1441

@nscuro nscuro closed this as completed May 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request p2 Non-critical bugs, and features that help organizations to identify and reduce risk pending release
Projects
None yet
Milestone
4.5
Development

No branches or pull requests
3 participants
@stevespringett @msymons @nscuro