-
bug description (occurred issue): While investigating some user issues, it appears that permissions on SVN repositories are not being applied - all users (defined externally) are permitted to write to the repository.
-
expected result / system behavior: Users with READ permissions or without permissions set should not be able to commit changes to the repository, etc.
-
observed result / system behavior: Users can write to the repository regardless of the permissions that are set. No permissions are set in “_authenticated”
-
SCM-Manager version and installed package: 3.5.0 (yes, we need to update), LDAP plugin
In this case, only scmadmin has permissions, but the update is done by another user authenticated externally via LDAP/AD.
Hi @doconeill
thank you for bringing this to our attention!
I’ve unlisted this thread due to security reasons. It’s still accessible for you but only via link. I hope that you receive an e-mail notification.
I did, thanks…just noticed the unredacted image…added redacted image.
FYI, updated to 3.7.4, no change to behavior. OS is AlmaLinux 9.5 if it matters. LDAP source is Microsoft Azure Active Directory Domain Services.
Hi @doconeill , I just checked this on a minimal installation. Without permissions (or only with READ permission) I got the error that I was hoping for:
svn: E220004: Commit failed (details follow):
svn: E220004: You do not have enough access privileges for this operation.
A detail I’m often missing are the permissions you could grant on namespace level. Can you check that you have no permissions set for the scmadmin namespace? You can find the settings when you click on the cogwheel on the right beside the namespace in the repository overview.
Thanks 
I just checked…nothing set at the namespace level other than the owner having OWNER permissions. The test user also shows no permissions set in _authenticated, namespaces, or repos (except one that is not the one I’m currently testing with).
I was just playing with the API, and if I query the permissions of the test user, I get this:
"permissions": [
"repository:read,pull:*",
"repository:read,pull,push:*",
"repository:read,rename:*",
"repository:create"
],
The description says this is for git repos though…I have git disabled. But where are they coming from?
Ah, these permission definitely do look like global permissions set for the user itself. The user should show up as an external user in the user administration. You can find a permissions section in the settings for this user. They will apply, although the user is authenticated by LDAP.
Can you check this? Thanks
Well…frack…found it under the “Settings > Permissions”, which doesn’t show up in the overview I guess…apparently the external users are by default getting global permissions when created. Is there a way to change that?
Never mind…the account I was testing with was used a while ago and assigned those permissions without my knowledge, and I looked everywhere BUT that particular setting.
Thanks for helping me track it down!
Thanks, I can sleep again 
Glad you found it!
