• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

Unleash / unleash / 10798579690
87%
master: 91%

Build:
Build:
LAST BUILD BRANCH: main
DEFAULT BRANCH: master
Ran 10 Sep 2024 06:40PM UTC
Jobs 1
Files 670
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

10 Sep 2024 06:35PM UTC coverage: 87.561% (-0.01%) from 87.572%
10798579690

push

github

web-flow
Fix/project role permission grant (#8084)

## Background

In #6380 we fixed a privilege escalation bug that allowed members of a
project that had permission to add users to the project with roles that
had a higher permission set than themselves. The PR linked essentially
constricts you only be able to assign users to roles that you possess
yourself if you are not an Admin or Project owner.

This fix broke expectations for another customer who needed to have a
project owner without the DELETE_PROJECT permission. The fix above made
it so that their custom project owner role only was able to assign users
to the project with the role that they posessed.

## Fix

Instead of looking directly at which role the role granter has, this PR
addresses the issue by making the assessment based on the permission
sets of the user and the roles to be granted. If the granter has all the
permissions of the role being granted, the granter is permitted to
assign the role.

## Other considerations

The endpoint to get roles was changed in this PR. It previously only
retrieved the roles that the user had in the project. This no-longer
makes sense because the user should be able to see other project roles
than the one they themselves hold when assigning users to the project.

The drawback of returning all project roles is that there may be a
project role in the list that the user does not have access to assign,
because they do not hold all the permissions required of the role. This
was discussed internally and we decided that it's an acceptable
trade-off for now because the complexities of returning a role list
based on comparing permissions set is not trivial. We would have to
retrieve each project role with permissions from the database, and run
the same in-memory check against the users permission to determine which
roles to return from this endpoint. Instead we opted for returning all
project roles and display an error if you try to as... (continued)

2737 of 3581 branches covered (76.43%)

11 of 21 new or added lines in 3 files covered. (52.38%)

5 existing lines in 3 files now uncovered.

13832 of 15797 relevant lines covered (87.56%)

720.01 hits per line

Jobs
ID Job ID Ran Files Coverage
1 10798579690.1 10 Sep 2024 06:40PM UTC 0
87.56
GitHub Action Run
Source Files on build 10798579690
Detailed source file information is not available for this build.
  • Back to Repo
  • e1b7cfd8 on github
  • Prev Build on main (#10777974337)
  • Next Build on main (#10806272668)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc