Uploaded image for project: 'Xray for Jira'
  1. Xray for Jira
  2. XRAY-6819

IDOR Leads to unauthorized user to delete attachment in test run

    XporterXMLWordPrintable

Details

    • XRAY 2020 Sprint 10, XRAY 2020 Sprint 11, XRAY 2020 Sprint 12, XRAY 2021 Sprint 1

    • OK

    Description

      1. Create Jira account no_permissions.
      2. Add another employee to the jira account with user privileges
      3. Create a Xray project and configure this project permission settings for administratoronly
      4. Create a TEST
      5. Execute it in the testrun page
      6. Add attachment
      7. using the user with no permission call 
         curl -H "Content-Type: application/json" -X DELETE -u sin:sin http://localhost:8120/rest/raven/1.0/testrun/117874/attachment/221

      Attachments

        Issue Links

          is cloned by

          Bug - A problem which impairs or prevents the functions of the product. XRAY-6820 IDOR Leads to unauthorized user to delete attachment on Test issue [Manual Steps]

          • Major - Major loss of function.
          • Closed

          Activity

            People

              bims Beatriz Silva [X] (Inactive)
              dpca Diamantino Campos
              Beatriz Silva [X] (Inactive), Pedro Rodrigues
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Time Spent - 3 weeks, 57 minutes Remaining Estimate - 1 hour
                  1h
                  Logged:
                  Time Spent - 3 weeks, 57 minutes Remaining Estimate - 1 hour
                  3w 57m