1. Home
  2. Categories
  3. Support
  4. ProGet: UI 403 errors

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

ProGet: UI 403 errors

  • J

    I already reported a number of these here and most of them are fixed, so thank you for that.

    Occurs in: 2024.2 (Build 2)

    Again using this permission set:
    78cbbacf-9e5d-4738-9e5d-e465d26d71dc-image.png

    1. Bulk edit on /packages page
      This one was probably just overlooked from my previous report, on the container page it seems already to be fixed.
      The bulk edit menu is always visible, clicking on it shows a menu with delete or promote option. Selecting Delete selected results in no action at all, which is misleading.
      => The "bulk edit" link should be hidden for users that do not have delete or promote permissions in any feed.

    2. Notifiers Configure on /sca page
      The "Configure Notifiers" link leads to 403 page.
      => The whole panel should probably be hidden when a user has no notifier permissions

    3. Menu on /projects page
      5294f52a-aea1-42ee-a2f9-5188b14ae4d7-image.png
      All three menu points are not clickable.
      => Whole menu should probably be hidden

    4. "manage license types & rules" link on /licenses page
      Link just does nothing
      => Hide

    5. Clicking on a license name on /licenses page
      Leads to 403 popup
      => Right now there is only a "Manage" permissions for licenses, but I see no reason why people without editing permissions should not be able to view licenses details. So a read-only version of the edit popup would be helpful.

    6. Menu on project page /projects/project?projectId=5
      "Create Build" and "Import SBOM" lead to 403 popups.
      => Hide

    7. Project build page /projects2/builds/build?buildId=5
      Promote, analyze, add comment, edit build all lead to 403
      => Hide

    8. Project issues page /projects/issues?buildId=5
      Bulk edit -> Delete leads to 403.
      => Hide from bulk edit

    I'm pretty sure I overlooked some of them, since these issues are everywhere.

    It would be really great if this check could be added to the test suite, especially for new UIs. They are very easy to spot, basically just be authenticated with a user that does not have any major permissions and then click every link on given page.

    At some point I need to start thinking about charging a tester fee. 😉

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Thanks so much @jw! We'll get these fixed in an upcoming maintenance release via PG-2651

    Looks like we forgot to add these after applying permissions on top., and the way our security review works, it prioritizes making sure the pages are secure (versus links), so it's easy to miss.

    Anyway we'll try to add that to our new feature checklist... easy to forget to do since we check permissions on the page itself, not on where we link to the page.

    0
  • J

    Thank you!

    Cheers

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation