Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[pipeline template] a user which is not admin for a pipeline is able to create a template based on it #4496

Closed
aqneves opened this issue Mar 7, 2018 · 1 comment

Comments

Projects
None yet
3 participants
@aqneves
Copy link

commented Mar 7, 2018

Issue Type
  • Bug Report
Summary

Any user can create a template based on a template for which he is not an Admin. This removes the capability of the owners of those pipelines to modify them - as they won't have by default access to the pipeline template - and allows the user which created the template to modify it influencing the origin pipeline.

Environment
Basic environment details
  • Go Version: 18.1
  • JAVA Version: 1.8.0_131
  • OS: Linux 3.10.0-514.26.2.el7.x86_64
  • Browser vendor and version (if relevant): any
Additional Environment Details
Steps to Reproduce
  1. Pipeline U1 is created, a certain role is created and assigned to both the user and the pipeline (Admin permissions).
  2. User U1 is now Admin for pipeline X.
  3. User U2 is NOT Admin for pipeline X, he users other pipeline groups / pipelines.
  4. User U2 decides to create a template for a pipeline and uses the “Extract from pipeline” option, selecting pipeline X as source.
  5. A template is created and now, U1 can’t edit the pipeline because it’s now based on a template and he won’t be able to do so until the GO System Administrator provides access to the template itself. U2, which created the pipeline template is now admin for it.
  6. U2 has now removed the capability for U1 to modify the pipeline X for which U1 is the owner. More, U2 can now edit the template and influence a pipeline for which he is not the Administrator.
Expected Results

A user should only be able to create a pipeline template based on templates for which he is an Admin.

Actual Results

A user sees the full list of pipelines when creating a template using as source another pipeline.

Possible Fix
Log snippets
Code snippets/Screenshots
Any other info

@varshavaradarajan varshavaradarajan added this to the Release 18.3 milestone Mar 7, 2018

varshavaradarajan added a commit to varshavaradarajan/gocd that referenced this issue Mar 13, 2018

varshavaradarajan added a commit to varshavaradarajan/gocd that referenced this issue Mar 20, 2018

varshavaradarajan added a commit to varshavaradarajan/gocd that referenced this issue Mar 22, 2018

varshavaradarajan added a commit to varshavaradarajan/gocd that referenced this issue Mar 26, 2018

varshavaradarajan added a commit that referenced this issue Mar 27, 2018

Merge pull request #4520 from varshavaradarajan/template-auth-bug
Show only pipelines that the user has admin permissions to to extract a template. (#4496)
@rajiesh

This comment has been minimized.

Copy link
Contributor

commented Apr 18, 2018

Verified on 18.3.0 (6537-931d914224566c5e5069d1e3c583aba8a4bfc414)

@rajiesh rajiesh closed this Apr 18, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.