Users attempting to update an artifact using the Deploy Artifact by Checksum call are able to successfully update metadata about the artifact even though they do not have Delete/Overwrite permission.
Steps to Reproduce
- Create a new generic repo
- Give a user Read, Annotate, and Create/Publish permissions to the repo
- Deploy a new artifact using the "Deploy Artifact" rest API
- The user receives a 201 Created response, and the artifact is now available in Artifactory
- Attempt to re-deploy (i.e. update) the artifact using the exact same "Deploy Artifact" call to deploy the exact same artifact to the same destination again.
- User receives a 403 error with the description "Not enough permission to delete/overwrite the artifact"
- Perform the same request again, but use the "Deploy Artifacts by Checksum" REST call.
- User receives a 201 Created response, and the timestamp on the artifact is updated.
This call should respect the same permission model that the "Deploy Artifact" call respects, and provide users that don't have Delete/Overwrite permissions with a 403 Forbidden error.
- is duplicated by
-
RTFACT-20981 Access should check Delete permission when jfrog rt u command comes in
- Done