Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-20830

"Deploy Artifact by Checksum" REST API does not check permissions properly

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Affects Version/s: 6.16.0
    • Fix Version/s: 7.15.3
    • Component/s: REST API
    • Labels:
    • Environment:

      Windows Server 2019 Datacenter Version 1809 (OS Build 17763.678)

      Java 1.8.0_221

      Artifactory 6.16.0

    • Severity:
      Medium
    • Release Notes:
      Yes

      Description

      Users attempting to update an artifact using the Deploy Artifact by Checksum call are able to successfully update metadata about the artifact even though they do not have Delete/Overwrite permission.

      Steps to Reproduce

      1. Create a new generic repo
      2. Give a user Read, Annotate, and Create/Publish permissions to the repo
      3. Deploy a new artifact using the "Deploy Artifact" rest API
      4. The user receives a 201 Created response, and the artifact is now available in Artifactory
      5. Attempt to re-deploy (i.e. update) the artifact using the exact same "Deploy Artifact" call to deploy the exact same artifact to the same destination again.
      6. User receives a 403 error with the description "Not enough permission to delete/overwrite the artifact"
      7. Perform the same request again, but use the "Deploy Artifacts by Checksum" REST call.
      8. User receives a 201 Created response, and the timestamp on the artifact is updated.

      This call should respect the same permission model that the "Deploy Artifact" call respects, and provide users that don't have Delete/Overwrite permissions with a 403 Forbidden error.

        Attachments

          Issue Links

            Activity

                People

                Assignee:
                morm Mor Merhav
                Reporter:
                dwhathaway David Hathaway
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: