Details
-
Bug
-
Resolution: Fixed
-
Low
-
2.11.3
-
None
Description
Steps to Produce
- Create normal Stash user with Stash User permission.
- Run this REST query to make sure he/she is not able access the resources:
curl -s -u <username> "http://localhost:7990/rest/api/1.0/admin/groups/more-members?context=stash-users"
You should get this response:
{"errors":[{"context":null,"message":"You are not permitted to access this resource","exceptionName":"com.atlassian.stash.exception.AuthorisationException"}]}
- Login under the new created user and create new Personal Repository and delete it afterward.
- Run the same REST query as above, it will return all the users under the specified context (this should be able only if the user has either Project Permission Or Admin Permission)
Sample call with the response:Omar-Mac:bin omaral-safi$ curl -s -u admin2 "http://localhost:7990/rest/api/1.0/admin/groups/more-members?context=stash-users" Enter host password for user 'admin2': {"size":3,"limit":25,"isLastPage":true,"values":[{"name":"admin","emailAddress":"oalsafi@atlassian.com","id":1,"displayName":"Admin","active":true,"slug":"admin","directoryName":"Stash Internal Directory","mutableDetails":true,"mutableGroups":true,"link":{"url":"/users/admin","rel":"self"},"links":{"self":[{"href":"http://localhost:7990/users/admin"}]}},{"name":"admin2","emailAddress":"omarsmak@gmail.com","id":101,"displayName":"admin2","active":true,"slug":"admin2","directoryName":"Stash Internal Directory","mutableDetails":true,"mutableGroups":true,"link":{"url":"/users/admin2","rel":"self"},"links":{"self":[{"href":"http://localhost:7990/users/admin2"}]}},{"name":"omarsmak","emailAddress":"admin@admin.com","id":251,"displayName":"Omar","active":true,"slug":"omarsmak","directoryName":"JIRA Server","mutableDetails":false,"mutableGroups":false,"link":{"url":"/users/omarsmak","rel":"self"},"links":{"self":[{"href":"http://localhost:7990/users/omarsmak"}]}}],"start":0,"filter":null}Omar-Mac:bin omaral-safi$