[1.17.0] Disallowed permission behaviour on package registry #9304

New Issue

Closed

opened 2025-11-02 08:34:44 -06:00 by GiteaMirror · 4 comments

GiteaMirror commented 2025-11-02 08:34:44 -06:00

Owner

Copy Link

Originally created by @LukasKlepper on GitHub (Aug 1, 2022).

Description

I tested the new 1.17.0 today. As it seems the permissions for package repositories are not working correctly. I was able to delete a package on my organization without any permission.

Steps to reproduce:

• Upload a new nuget(?) package to a organization.
• Create a Team on that organization without permission to manage packages. (no access, see screenshow below)
• Add a new non-admin user and add him to the team.
• Login into Gitea with the new created user and move into the organization.
• Select Packages.
• Show the settings menu for the uploaded nuget(?) package. (that shouldn't be possible.)
• Delete the nuget package. (that definitly shouldn't be possible.)

I've double checked and the package is really gone, so the user deleted it.
I think its important as currently users are able to delete packages, which they shouldn't have permissions to.

Maybe there are also other problems with permissions on package registries?

Gitea Version

docker-1.17.0

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

Git Version

2.36.2

Operating System

Docker@Linux

How are you running Gitea?

Running Gitea on a linux machine in a docker container behind a reverse proxy. I think that shouldn't depend to the described permission problems above.

Database

PostgreSQL

Originally created by @LukasKlepper on GitHub (Aug 1, 2022). ### Description I tested the new 1.17.0 today. As it seems the permissions for package repositories are not working correctly. I was able to delete a package on my organization without any permission. Steps to reproduce: - Upload a new nuget(?) package to a organization. - Create a Team on that organization without permission to manage packages. (no access, see screenshow below) - Add a new non-admin user and add him to the team. - Login into Gitea with the new created user and move into the organization. - Select Packages. - Show the settings menu for the uploaded nuget(?) package. (that shouldn't be possible.) - Delete the nuget package. (that definitly shouldn't be possible.) I've double checked and the package is really gone, so the user deleted it. I think its important as currently users are able to delete packages, which they shouldn't have permissions to. Maybe there are also other problems with permissions on package registries? ### Gitea Version docker-1.17.0 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots  ### Git Version 2.36.2 ### Operating System Docker@Linux ### How are you running Gitea? Running Gitea on a linux machine in a docker container behind a reverse proxy. I think that shouldn't depend to the described permission problems above. ### Database PostgreSQL

GiteaMirror added the topic/packagesissue/needs-feedback labels 2025-11-02 08:34:44 -06:00

GiteaMirror closed this issue 2025-11-02 08:34:44 -06:00

GiteaMirror commented 2025-11-02 08:34:45 -06:00

Author

Owner

Copy Link

@KN4CK3R commented on GitHub (Aug 8, 2022):

Can't reproduce it. May be related to #20517 but that should not be possible even before that change. A user in a not-Owner-team has only read access if the user is not an admin.

@KN4CK3R commented on GitHub (Aug 8, 2022): Can't reproduce it. May be related to #20517 but that should not be possible even before that change. A user in a not-`Owner`-team has only read access if the user is not an admin.

GiteaMirror commented 2025-11-02 08:34:45 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Oct 10, 2022):

@LukasKlepper is it still a problem? If no problem, the issue could be closed.

If there is still a problem, could you provide a reproducible setup (eg: docker compose, detailed operation commands) to help to reproduce?

@wxiaoguang commented on GitHub (Oct 10, 2022): @LukasKlepper is it still a problem? If no problem, the issue could be closed. If there is still a problem, could you provide a reproducible setup (eg: docker compose, detailed operation commands) to help to reproduce?

GiteaMirror commented 2025-11-02 08:34:45 -06:00

Author

Owner

Copy Link

@LukasKlepper commented on GitHub (Oct 10, 2022):

Hi @wxiaoguang

I will test it in the latest version & document my setup & steps to reproduce if the error still exists.

@LukasKlepper commented on GitHub (Oct 10, 2022): Hi @wxiaoguang I will test it in the latest version & document my setup & steps to reproduce if the error still exists.

GiteaMirror commented 2025-11-02 08:34:45 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Oct 26, 2022):

Hello, this issue has been inactive for more than 2 weeks. Feel free to re-open with a reproducible setup if there is still a problem.

@wxiaoguang commented on GitHub (Oct 26, 2022): Hello, this issue has been inactive for more than 2 weeks. Feel free to re-open with a reproducible setup if there is still a problem.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label issue/needs-feedback topic/packages

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#9304