Closed
Description
Description
I tested the new 1.17.0 today. As it seems the permissions for package repositories are not working correctly. I was able to delete a package on my organization without any permission.
Steps to reproduce:
- Upload a new nuget(?) package to a organization.
- Create a Team on that organization without permission to manage packages. (no access, see screenshow below)
- Add a new non-admin user and add him to the team.
- Login into Gitea with the new created user and move into the organization.
- Select Packages.
- Show the settings menu for the uploaded nuget(?) package. (that shouldn't be possible.)
- Delete the nuget package. (that definitly shouldn't be possible.)
I've double checked and the package is really gone, so the user deleted it.
I think its important as currently users are able to delete packages, which they shouldn't have permissions to.
Maybe there are also other problems with permissions on package registries?
Gitea Version
docker-1.17.0
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
Git Version
2.36.2
Operating System
Docker@Linux
How are you running Gitea?
Running Gitea on a linux machine in a docker container behind a reverse proxy. I think that shouldn't depend to the described permission problems above.
Database
PostgreSQL