Skip to content

Ensure PROJECT_CREATION_UPLOAD same behaviour for tagging when autocr… #5140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Ensure PROJECT_CREATION_UPLOAD same behaviour for tagging when autocr… #5140

wants to merge 1 commit into from

Conversation

snieguu
Copy link
Contributor

@snieguu snieguu commented Jul 25, 2025
edited
Loading

Description

This PR fixes an authorization inconsistency regarding tag handling for users with the PROJECT_CREATION_UPLOAD permission during project auto-creation/update for PUT/POST /v1/bom resource

Users with only the PROJECT_CREATION_UPLOAD permission were previously able to:

Update tags when bom upload, even without PORTFOLIO_MANAGEMENT permission and could not do the same for existing projects.

This led to inconsistent permission boundaries

Tag creation or updates are now entirely blocked for users who only have the PROJECT_CREATION_UPLOAD permission - regardless of whether the project is being created or updated.

Proper tag handling (both creation and modification) now consistently requires the PORTFOLIO_MANAGEMENT permission.

Addressed Issue

#5127

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@owasp-dt-bot
Copy link

owasp-dt-bot commented Jul 25, 2025
edited
Loading

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

@snieguu snieguu mentioned this pull request Jul 25, 2025
Open
2 tasks
@codacy-production Codacy Production
Copy link

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
Report missing for 6db35931 100.00% (target: 70.00%)
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (6db3593) Report Missing Report Missing Report Missing
Head commit (56b1c0f) 24099 19495 80.90%

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#5140) 18 18 100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

Footnotes

  1. Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@snieguu @owasp-dt-bot