dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Not able to retrieve badge from the API without ACCESS_MANAGEMENT permission

Open nvkhoa666 opened this issue 11 months ago • 5 comments

Current Behavior

With the default "Badge Viewers" team in Dependency Track, the API to retrieve a project's vulnerabilities badge (/v1/badge/vulns/project/:project/:version) returns 403. If the permission ACCESS_MANAGEMENT is added to that team, then it will work as expected.

Steps to Reproduce

  1. Use the API Key from the default "Badge Viewers" to query the API /v1/badge/vulns/project/:project/:version
  2. Server returns 403
  3. Add the permission ACCESS_MANAGEMENT to the "Badge Viewers" team
  4. Use the API Key from the default "Badge Viewers" to query the API /v1/badge/vulns/project/:project/:version
  5. Server returns 200

Expected Behavior

API requests to retrieve badges should work with only VIEW_BADGE permission

Dependency-Track Version

4.12.2

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

N/A

Checklist

nvkhoa666 avatar Jan 22 '25 09:01 nvkhoa666

Can't reproduce this with just the steps you specified on a fresh DT instance. However, I can if I also activate Portfolio Access Control (PAT) and don't give "Badge Viewers" access to the project(-version).

Do you have PAT enabled on your instance?

SaberStrat avatar Mar 13 '25 16:03 SaberStrat

Also can't call /api/v1/project without ACCESS_MANAGEMENT. which seems bizarre, neither can you upload SBOMs/create projects without it. Which feels like the permissions model is not quite right...

Should I create separate issue(s) or happy capturing under this ticket?

We're using a similar setup to the issue apart from we're using version 4.13.5

ch-joel avatar Oct 23 '25 10:10 ch-joel

@ch-joel Do you have the "Portfolio Access Control" feature enabled? ACCESS_MANAGEMENT is the only permission that bypasses access checks (it's effectively the admin permission), users/teams without this permission need to be given explicit access to projects.

nscuro avatar Oct 24 '25 08:10 nscuro

@ch-joel Do you have the "Portfolio Access Control" feature enabled? ACCESS_MANAGEMENT is the only permission that bypasses access checks (it's effectively the admin permission), users/teams without this permission need to be given explicit access to projects.

We do have that feature enabled I believe, do I need to disable it or do I need to configure the Portfolio Access Control?

ch-joel avatar Oct 28 '25 10:10 ch-joel

I've disabled the Portfolio Access Control and I have been able to remove ACCESS_MANAGEMENT fine.

ch-joel avatar Oct 28 '25 11:10 ch-joel