search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
44.08k stars 5.41k forks source link

Member of team with limited "Read" only access to issues can create new issues #31890

Open seccentral opened 3 weeks ago

seccentral commented 3 weeks ago

Description

I created a gitea instance with keycloak authentication for the purpose of centralizing multiple service authentication/authorization under one solution and added the users to groups that are exposed as a custom claim along with their group names in the access token, then created an Org with teams in gitea and mapped the claimed groups to the organization's teams representing full access administrators and read only members. The read only members should have read only access to the Issues and Wiki as configured on the Team's ACL settings. The problem is that the read only users can create new issues, hence I suspect that this is a bug.

TL/DR - make an org with a team who's members are ACL restricted to read only, and they can create new issues.

Gitea Version

1.21.8

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

Screenshots

image

Git Version

No response

Operating System

Debian 12

How are you running Gitea?

Custom tailored docker stack including it's postgres database, auth(keycloak) and reverse proxy(caddy), but this detail is not relevant for this bug.

Database

PostgreSQL

lunny commented 3 weeks ago

It's not a bug, it's by design which will keep consistent with Github's implementations.

seccentral commented 3 weeks ago

I didn't know. Is there a way to allow read only access as the ACL page actually suggests is happening ? If not, it should be useful to remove the read only option from the ACL settings page because it's not advertising what it's selling.

Also, thank you for clarifying.