Users can access Team Managed projects irrespective of the Access setting set using an internal API call

XMLWordPrintable

    • 3
    • Severity 3 - Minor
    • 0

      Issue Summary

      Users with no access can see Private Team-managed projects on the list.

      Please note, we have observed that the issue is only reported when the permission/access setting for TMP is changed using an internal API call "/rest/internal/simplified/1.0/projects/" via any third-party automation, or custom scripts.

      Steps to Reproduce

      1. Create a new team-managed project with OPEN or LIMITED access.
      2. Set the access level to Private using a custom script. The script should be set to trigger on the "Project Create" webhook.
      3. The project will still be visible to all users in the project list (the project when clicked will not be accessible though)

      Expected Results

      Project should not be displayed in the list for a Basic user

      Actual Results

      The project will be displayed in the list. Any users can access the PRIVE project.

      Workaround

      Change the accessing setting to OPEN or LIMITED and updated it back to PRIVATE.

      Follow the below workaround if you are using a custom script:

      • Look for the HTTP response for the API endpoint - /rest/internal/simplified/1.0/projects/.
      • If the response code is 500, then the script should be changed to flip the permission access back to "OPEN" or "LIMITED" and then again update the access to "PRIVATE".

      OR

      • Add a delay in your script before accessing the API.

            Assignee:
            Anthony "Public Name" Jereley
            Reporter:
            Rahul Kumar
            Votes:
            3 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: