fixed: job assignee can remove or update any issue created by the tas…

…k owner #4424
cvat-ai · Mar 10, 2022 · 3370d88 · 3370d88
1 parent 42fdea9
commit 3370d88
Show file tree

Hide file tree

Showing 4 changed files with 5,736 additions and 5,730 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 - Permission error occured when accessing the JobCommits (<https://github.com/openvinotoolkit/cvat/issues/4434>)
+- job assignee can remove or update any issue created by the task owner (<https://github.com/openvinotoolkit/cvat/issues/4424>)
 
 ### Security
 - TDB

diff --git a/cvat/apps/iam/rules/issues.csv b/cvat/apps/iam/rules/issues.csv
@@ -10,10 +10,10 @@ view,Issue,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee,
 view,Issue,Organization,N/A,,GET,/issues/{id},User,Maintainer
 view,Issue,Organization,"Project:owner, Project:assignee, Task:owner, Task:assignee, Job:assignee, Owner, Assignee",,GET,/issues/{id},None,Worker
 update,Issue,Sandbox,N/A,,PATCH,/issues/{id},Admin,N/A
-update,Issue,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee, Job:assignee, Owner",,PATCH,/issues/{id},Worker,N/A
+update,Issue,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee, Owner",,PATCH,/issues/{id},Worker,N/A
 update,Issue,Organization,N/A,,PATCH,/issues/{id},User,Maintainer
-update,Issue,Organization,"Project:owner, Project:assignee, Task:owner, Task:assignee, Job:assignee, Owner",,PATCH,/issues/{id},Worker,Worker
+update,Issue,Organization,"Project:owner, Project:assignee, Task:owner, Task:assignee, Owner",,PATCH,/issues/{id},Worker,Worker
 delete,Issue,Sandbox,N/A,,DELETE,/issues/{id},Admin,N/A
-delete,Issue,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee, Job:assignee, Owner",,DELETE,/issues/{id},Worker,N/A
+delete,Issue,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee, Owner",,DELETE,/issues/{id},Worker,N/A
 delete,Issue,Organization,N/A,,DELETE,/issues/{id},User,Maintainer
-delete,Issue,Organization,"Project:owner, Project:assignee, Task:owner, Task:assignee, Job:assignee, Owner",,DELETE,/issues/{id},Worker,Worker
+delete,Issue,Organization,"Project:owner, Project:assignee, Task:owner, Task:assignee, Owner",,DELETE,/issues/{id},Worker,Worker
diff --git a/cvat/apps/iam/rules/issues.rego b/cvat/apps/iam/rules/issues.rego
@@ -95,13 +95,17 @@ is_job_staff {
 }
 
 is_issue_admin {
-    is_job_staff
+    is_task_staff
 }
 
 is_issue_admin {
     is_issue_owner
 }
 
+is_issue_staff {
+    is_job_staff
+}
+
 is_issue_staff {
     is_issue_admin
 }
@@ -234,7 +238,7 @@ allow {
 allow {
     { utils.UPDATE, utils.DELETE }[input.scope]
     input.auth.organization.id == input.resource.organization.id
-    is_issue_admin
     utils.has_perm(utils.WORKER)
     organizations.is_member
+    is_issue_admin
 }