Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
ProGet: UI 403 errors
-
I already reported a number of these here and most of them are fixed, so thank you for that.
Occurs in: 2024.2 (Build 2)
Again using this permission set:
-
Bulk edit on
/packages
page
This one was probably just overlooked from my previous report, on the container page it seems already to be fixed.
The bulk edit menu is always visible, clicking on it shows a menu with delete or promote option. Selecting Delete selected results in no action at all, which is misleading.
=> The "bulk edit" link should be hidden for users that do not have delete or promote permissions in any feed. -
Notifiers Configure on
/sca
page
The "Configure Notifiers" link leads to 403 page.
=> The whole panel should probably be hidden when a user has no notifier permissions -
Menu on
/projects
page
All three menu points are not clickable.
=> Whole menu should probably be hidden -
"manage license types & rules" link on
/licenses
page
Link just does nothing
=> Hide -
Clicking on a license name on
/licenses
page
Leads to 403 popup
=> Right now there is only a "Manage" permissions for licenses, but I see no reason why people without editing permissions should not be able to view licenses details. So a read-only version of the edit popup would be helpful. -
Menu on project page
/projects/project?projectId=5
"Create Build" and "Import SBOM" lead to 403 popups.
=> Hide -
Project build page
/projects2/builds/build?buildId=5
Promote, analyze, add comment, edit build all lead to 403
=> Hide -
Project issues page
/projects/issues?buildId=5
Bulk edit -> Delete leads to 403.
=> Hide from bulk edit
I'm pretty sure I overlooked some of them, since these issues are everywhere.
It would be really great if this check could be added to the test suite, especially for new UIs. They are very easy to spot, basically just be authenticated with a user that does not have any major permissions and then click every link on given page.
At some point I need to start thinking about charging a tester fee.
-
-
Thanks so much @jw! We'll get these fixed in an upcoming maintenance release via PG-2651
Looks like we forgot to add these after applying permissions on top., and the way our security review works, it prioritizes making sure the pages are secure (versus links), so it's easy to miss.
Anyway we'll try to add that to our new feature checklist... easy to forget to do since we check permissions on the page itself, not on where we link to the page.
-
Thank you!
Cheers