[RTFACT-20830] "Deploy Artifact by Checksum" REST API does not check permissions properly - JFrog JIRA

XML

Word

Printable

Details

Type: Bug
Status: Done
Resolution: Done
Affects Version/s: 6.16.0
Fix Version/s: 7.15.3
Component/s: REST API
Labels:
- PB_Done
Environment:

Windows Server 2019 Datacenter Version 1809 (OS Build 17763.678)

Java 1.8.0_221

Artifactory 6.16.0

Severity:
Medium
Release Notes:
Yes

Description

Users attempting to update an artifact using the Deploy Artifact by Checksum call are able to successfully update metadata about the artifact even though they do not have Delete/Overwrite permission.

Steps to Reproduce

Create a new generic repo
Give a user Read, Annotate, and Create/Publish permissions to the repo
Deploy a new artifact using the "Deploy Artifact" rest API
The user receives a 201 Created response, and the artifact is now available in Artifactory
Attempt to re-deploy (i.e. update) the artifact using the exact same "Deploy Artifact" call to deploy the exact same artifact to the same destination again.
User receives a 403 error with the description "Not enough permission to delete/overwrite the artifact"
Perform the same request again, but use the "Deploy Artifacts by Checksum" REST call.
User receives a 201 Created response, and the timestamp on the artifact is updated.

This call should respect the same permission model that the "Deploy Artifact" call respects, and provide users that don't have Delete/Overwrite permissions with a 403 Forbidden error.

Attachments

Issue Links

is duplicated by

RTFACT-20981 Access should check Delete permission when jfrog rt u command comes in

Done

Activity

People

Assignee:: Mor Merhav

Reporter:: David Hathaway

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 10/Dec/19 8:47 PM

Updated:: 24/May/22 8:12 AM

Resolved:: 10/Jan/21 10:29 PM

Sync Status

Connection: RTFACT Sync

RTMID-20830 -
SYNCHRONIZED

Last Sync Date: