POLICY_VIOLATION_ANALYSIS gives HTTP 403 #126
Description
Current Behavior:
A user with the permission POLICY_VIOLATION_ANALYSIS will receive HTTP 403 errors when attempting to use the "Policy Violations" tab unless they also have the permission VULNERABILITY_ANALYSIS.
Steps to Reproduce:
- Create a Managed User X with Permissions: VIEW_PORTFOLIO (so that they can navigate projects) and POLICY_VIOLATION_ANALYSIS
- Ensure that you have a Project Y with one or more policy violations.
- Login as User X and navigate to Project Y.
- The "Policy Violations" tab is displayed (so far so good).
- Whilst the tab itself displays the list of violations, attempting to expand any individual violation will give an HTTP 403 error... but will display the details.
- Attempting to add a comment (or other action) results in more errors.
- Switch back to Admin user and add permission VULNERABILITY_ANALYSIS to User X.
- Login as User X a second time... it is now possible to perform policy violation analysis.
Expected Behavior:
Performing analysis of policy violations should require POLICY_VIOLATION_ANALYSIS permission alone and not be linked to VULNERABILITY_ANALYSIS permission (which is intended to accomplish something totally different).
Environment:
- Dependency-Track Version: 4.4.1
- Client Browser: Firefox
- Client O/S: Windows 10.