Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-20981

Access should check Delete permission when jfrog rt u command comes in

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Resolution: Duplicate
    • Affects Version/s: 6.16.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Environment:

      Artifactory : 6.16.0

      jfrog cli : v1.25.0,  v1.32.4

       

      Description

      Artifactory/Access should check Delete permission when jfrog rt u command comes in

       

      Steps to reproduce

      1. give a user Deploy, Annotate and Read permission but not Delete permission and set the user id and password in jfrog rt config as well.

      2. uploading a file.

      jfrog rt curl -XPUT  "/generic-local/" -T b.txt

      {

        "repo" : "generic-local",

        "path" : "/b.txt",

        "created" : "2019-12-27T19:14:20.019Z",

        "createdBy" : "davids",

        "downloadUri" : RESTRICTED_URL,

        "mimeType" : "text/plain",

        "size" : "9",

        "checksums" :

      {     "sha1" : "8e0d9fc7cb8f28eec164789367833a031cee6072",     "md5" : "983d884fb77ae91fd3d19995202147cc",     "sha256" : "5c324a5d15bbbe9148cfbab67a0340bcded29e249b3866abae7b0e1f5262853c"   }

      ,

        "originalChecksums" :

      {     "sha256" : "5c324a5d15bbbe9148cfbab67a0340bcded29e249b3866abae7b0e1f5262853c"   }

      ,

        "uri" : RESTRICTED_URL

       

      2. jfrog rt curl -XPUT  "/generic-local/" -T b.txt

      {

        "errors" : [

      {     "status" : 403,     "message" : "Not enough permissions to delete/overwrite artifact 'generic-local:b.txt' (user 'davids' needs DELETE permission)."   }

      ]

      }

      20191227191445|6|REQUEST|RESTRICTED_IP|davids|PUT|/generic-local/b.txt|HTTP/1.1|403|9

      This is the expected behavior.

       

       

      3. Now uploading the same file with jfrog rt u command.

      jfrog rt u "b.txt" "generic-local"

      Log path: /Users/davids/.jfrog/logs/jfrog-cli.2019-12-27.11-14-39.95227.log

      {

        "status": "success",

        "totals":

      {     "success": 1,     "failure": 0   }

      }

      20191227192739|90|REQUEST|RESTRICTED_IP|davids|PUT|/generic-local/b.txt;|HTTP/1.1|201|9

       

       

       

      This is  Unexpected behavior. It should show 403 error like step #2*.*

      It seems like that Artifactory/Access do not check Delete permission when jfrog rt u command come in

       

       

        Attachments

          Issue Links

            Activity

                People

                Assignee:
                yanivs Yaniv Shani [X] (Inactive)
                Reporter:
                davids David Shin
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: