1. Julius Hutuleac Avatar Julius Hutuleac
  2. Atlassian Addons
  3. bamboo-custom-deployments
  4. Issues

It is possible to deploy without permissions

Issue #4 resolved
Maciej Raszplewicz created an issue

Hi,

I am currently testing this plugin. It looks promising but it was possible to bypass permission checking.

Steps to reproduce:

  1. Create a user with permissions only to deploy on a single environment
  2. Get id of another environment (on which the new user does not have permission to deploy)
  3. Log in as the new user
  4. Deploy recording the network traffic (e.g. F12 in firefox)
  5. Change environment id (use edit and resend in firefox) in post to /plugins/servlet/deploy/customdeploystart

Deployment works and I can even see which user has run the deployment.

Comments (6)

  2. Hutuleac Iulius repo owner

    Thank you for raising the issue ! I will publish in next few minutes the fix in the marketplace.

    Julius

  3. Maciej Raszplewicz reporter

    Thanks for very quick fix!

    I have checked and can confirm that after your fix it is not possible to deploy without permission to an environment. However it still returns 302 http status instead of 403 like normal deployment does. Maybe you can fix it to (however it is a minor issue)?

  4. Hutuleac Iulius repo owner

    Hi, I know is doing a redirect and status is not quite visible. I will try to add tomorrow a simple error page with failure reason instead of redirect to environment page

  7. Log in to comment
Assignee
Type
bug
Priority
critical
Status
resolved
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!