search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.68k stars 576 forks source link

Viewing project properties requires PORTFOLIO_MANAGEMENT #1324

Open CBerndt-Work opened 2 years ago

CBerndt-Work commented 2 years ago

Current Behavior:

A user must have the PORTFOLIO_MANAGEMENT permission in order to view the 'custom' project properties.

Steps to Reproduce:

Create a project (PUT /v1/project) Create a property for that project (PUT /v1/project/{uuid}/property) Create a team with only the VIEW_PORTFOLIO permission (PUT /v1/team; PUT /v1/permission/VIEW_PORTFOLIO/team/{uuid}) Switch to a user or api key in that team Attempt to read property (GET /v1/project/{uuid}/property) => 403

Expected Behavior:

VIEW_PORTFOLIO should be enough to view a projects properties

Environment:

a5a351e7 commented 1 year ago

I am struggling with the same issue. The permission VIEW_PORTFOLIO should be showing every information of a project as read only. So a "push" to this issue from my side.

May the project owner @stevespringett or another team member could say something to this issue. Because I am willig to try, to implement it and make a pull request.