Description
In Bamboo 4.1 - I have a build plan where I have build expiry overridden but have specified labels to keep such as "keep". As UserA with full plan admin permissions I assign a Label to a successful build result "keep". This means I want that build to NEVER be expired as it is a critical build.
If I log in as UserB, who has ONLY View permissions on the build, I can go to the successful build, and REMOVE all the labels on that build. Then if the nightly build expiry runs my successful build I THOUGHT I marked to not be deleted can get deleted.
EVEN WORSE, if the Plan is set to have View Permissions to all logged in user, then any logged in user can remove the build result label thus causing the build to be cleaned up and lost due to expiry.
I'm not sure if i consider this a bug or a security flaw (possibly both).
Attachments
Issue Links
- mentioned in
-
Page Loading...