Portfolio access control not respected in API requests? #4370

thomashucke · 2024-11-13T09:49:24Z

Current Behavior

New projects / versions are created in root though project access should be limited by porfolio access control policy to one existing (parent) project.

Steps to Reproduce

Create a new project "Parent project"
Set up a team "Gitlab-CI publish only" with minimal permissions to upload SBOMs and create new projects (BOM_UPLOAD, PROJECT_CREATION_UPLOAD)
Enable portfolio access control
For team "Gitlab-CI publish only" only enable project access only to "Parent project"
POST a new SBOM using CURL without parameter "parentName" or "parentUUID"

Expected Behavior

POST should fail because of the access limitation by porfolio access control policy

Dependency-Track Version

4.12.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Mozilla Firefox

Checklist

I have read and understand the contributing guidelines
I have checked the existing issues for whether this defect was already reported

thomashucke added defect Something isn't working in triage labels Nov 13, 2024

thomashucke changed the title ~~Porfolio access control not respected in API requests?~~ Portfolio access control not respected in API requests? Nov 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Portfolio access control not respected in API requests? #4370

Portfolio access control not respected in API requests? #4370

thomashucke commented Nov 13, 2024

Portfolio access control not respected in API requests? #4370

Portfolio access control not respected in API requests? #4370

Comments

thomashucke commented Nov 13, 2024

Current Behavior

Steps to Reproduce

Expected Behavior

Dependency-Track Version

Dependency-Track Distribution

Database Server

Database Server Version

Browser

Checklist