Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

View Only Users are able to add packages



  • Hello,

    In the standard configuration of ProGet 3.0.3 there is a role defined "View Only". When I map users to that role, they are still able to Add Packages to the feed. Is this a bug? (The "Add Package" option is unchecked in the "View Only" role definition)
    I am using LDAP authentication.

    Thanks
    Stefan

    Product: ProGet
    Version: 3.0.3



  • I was not able to repro this behavior - the server refused the upload and the client demanded credentials as expected when attempting to push. Is it possible you've granted the anonymous user the ability to add packages, or there is a group that the user is a part of that is granted the privilege?



  • Hi Tod,

    The "View Only" works if you use built-in authentication with the anonymous user. Under this configuration I can browse the packages but when I try to upload a package I get asked to login.
    However, when I create another user "test" and assign this user "View Only" access rights, I am still able to upload packages while logged in as "test" user.

    I do not have any additional access rights or users defined apart from the auto generated admin account and the anonymous user.

    Are you able to reproduce?

    Thanks
    Stefan



  • I am able to reproduce this issue with the same steps as Stefan. On a clean install with LDAP auth, users given the 'View Only' role have the upload package link available.

    Thanks,
    Mike



  • Oh I see what you mean - I thought you meant that you were able to upload packages using the NuGet client... I was able to reproduce in that way. We'll have a fix for this in maintenance release v3.0.4 (logged as issue PG-210). Apologies for the confusion.



Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation