fixed: job assignee can remove or update any issue created by the task owner #4424 (#4436)

4 years ago · c69f10b4cb
parent 42fdea9466
commit c69f10b4cb
4 changed files with 5736 additions and 5730 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ### Fixed
 - Permission error occured when accessing the JobCommits (<https://github.com/openvinotoolkit/cvat/issues/4434>)
+- job assignee can remove or update any issue created by the task owner (<https://github.com/openvinotoolkit/cvat/issues/4424>)

 ### Security
 - TDB
--- a/cvat/apps/iam/rules/issues.csv
+++ b/cvat/apps/iam/rules/issues.csv
@ -10,10 +10,10 @@ view,Issue,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee,
 view,Issue,Organization,N/A,,GET,/issues/{id},User,Maintainer
 view,Issue,Organization,"Project:owner, Project:assignee, Task:owner, Task:assignee, Job:assignee, Owner, Assignee",,GET,/issues/{id},None,Worker
 update,Issue,Sandbox,N/A,,PATCH,/issues/{id},Admin,N/A
-update,Issue,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee, Job:assignee, Owner",,PATCH,/issues/{id},Worker,N/A
+update,Issue,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee, Owner",,PATCH,/issues/{id},Worker,N/A
 update,Issue,Organization,N/A,,PATCH,/issues/{id},User,Maintainer
-update,Issue,Organization,"Project:owner, Project:assignee, Task:owner, Task:assignee, Job:assignee, Owner",,PATCH,/issues/{id},Worker,Worker
+update,Issue,Organization,"Project:owner, Project:assignee, Task:owner, Task:assignee, Owner",,PATCH,/issues/{id},Worker,Worker
 delete,Issue,Sandbox,N/A,,DELETE,/issues/{id},Admin,N/A
-delete,Issue,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee, Job:assignee, Owner",,DELETE,/issues/{id},Worker,N/A
+delete,Issue,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee, Owner",,DELETE,/issues/{id},Worker,N/A
 delete,Issue,Organization,N/A,,DELETE,/issues/{id},User,Maintainer
-delete,Issue,Organization,"Project:owner, Project:assignee, Task:owner, Task:assignee, Job:assignee, Owner",,DELETE,/issues/{id},Worker,Worker
+delete,Issue,Organization,"Project:owner, Project:assignee, Task:owner, Task:assignee, Owner",,DELETE,/issues/{id},Worker,Worker
--- a/cvat/apps/iam/rules/issues.rego
+++ b/cvat/apps/iam/rules/issues.rego
@ -95,13 +95,17 @@ is_job_staff {
 }

 is_issue_admin {
-    is_job_staff
+    is_task_staff
 }

 is_issue_admin {
    is_issue_owner
 }

+is_issue_staff {
+    is_job_staff
+}
+
 is_issue_staff {
    is_issue_admin
 }
@ -234,7 +238,7 @@ allow {
 allow {
    { utils.UPDATE, utils.DELETE }[input.scope]
    input.auth.organization.id == input.resource.organization.id
-    is_issue_admin
    utils.has_perm(utils.WORKER)
    organizations.is_member
+    is_issue_admin
 }
--- a/cvat/apps/iam/rules/issues_test.gen.rego
+++ b/cvat/apps/iam/rules/issues_test.gen.rego