screwdriver icon indicating copy to clipboard operation
screwdriver copied to clipboard

Published 20 hours ago verified publisher icon screwdriver-cd

Unauthorized users look like to be able to change job state.

Open kumada626 opened this issue 2 years ago • 1 comments

What happened: In a pipeline options tab, users can click job state toggle button even if users not have permission to the pipeline. After clicking button, a job state appears to have changed. However, actual job state is not changed.

What you expected to happen: Users who don't have permission cannot click job state toggle button.

How to reproduce it:

  1. Access the pipeline Options page for which you do not have permission.
  2. Click a job state toggle button.
  3. A job state appears to have changed (but actually not changed).

kumada626 avatar Jul 12 '22 00:07 kumada626

One idea is to just not show the Options tab to users that don't have permissions on a pipeline (much like Github does with Settings for repositories).

tkyi avatar Jul 15 '22 01:07 tkyi