Closed johocurtest closed 4 years ago
Hello @johocurtest - agreed that anyone who has read access to the github repo can see the threat model, and indeed if they have write access then they can modify it, which is a consequence of the permissions on the github repo that is being used.
There are two use cases that I see for TD:
The company I work for uses TD desktop and an Atlassian repo, which seems to work well. If you want to use the web app then access control is needed on the github repo.
There is a gitlab integration for TD on a fork that may be of interest: https://github.com/mike-goodwin/owasp-threat-dragon/issues/68#issuecomment-590002400
Migrated to new issue in the OWASP area repo : https://github.com/OWASP/threat-dragon/issues/10
It seems there is no ACL on the threat model file created in GitHub
Steps:
Result: User B can change file from User A (no Read/Edit/Modify ACL)