Uploaded image for project: 'Automation Hub'
  1. Automation Hub
  2. AAH-2223

user with no permissions can use the copy_collection_version

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • 2.4, crc-2023-06-27
    • 2.4
    • Backend
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Release Note Not Required
    • Approved

      Preconditions:

      there is a user with no roles assigned

      there are two new repo/distributio. One of them has an artifact (in this case, artifact name: collection_dep_a_jxxirwds), the other one is empty (destination repo).

       

      Steps to reproduce

      1) Call collection_versions endopoint to get content_units:

      GET /api/automation-hub/pulp/api/v3/content/ansible/collection_versions/?name=collection_dep_a_jxxirwds

      response:

       

      "add_content_units": ["/api/automation-hub/pulp/api/v3/content/ansible/collection_versions/37e5c404-307a-4342-970c-04e2df14dc88/"

       

      2) Using a non-adming user with no groups associated, copy CV from one repo to the other

       

      POST /api/automation-hub/pulp/api/v3/repositories/ansible/ansible/10a6db36-6cb1-432a-a48d-752979baf4c5/copy_collection_version/
{"collection_versions": ["/api/automation-hub/pulp/api/v3/content/ansible/collection_versions/37e5c404-307a-4342-970c-04e2df14dc88/"], "destination_repositories": ["/api/automation-hub/pulp/api/v3/repositories/ansible/ansible/930670bb-2a59-4668-ae00-a16bd14da862/"]}

       

      Expected result
      403 Unauthorized. 

      User has no rights to upload to this repo.

       

      Actual result

      {}CV is copied to the repo
       

            bmclaugh@redhat.com Brian McLaughlin
            ctorrens@redhat.com Christian Torrens
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: