Description
In artifact-list-page.service.ts, _hasSbomPermission is already populated using the result returned from:
hasProjectPermissions(projectId, permissions)
However, the value is immediately overridden by a hardcoded assignment:
this._hasSbomPermission = true;
This bypasses the actual permission check and always enables SBOM permission in the UI regardless of the user's real project permissions.
Expected Behavior
-
SBOM permission should rely only on the result returned from hasProjectPermissions(...)
-
Users without SBOM permission should not receive access through the UI
-
The temporary hardcoded override should be removed
Possible Fix
Remove:
this._hasSbomPermission = true;
and verify the permission flow with different project roles/users.
Description
In
artifact-list-page.service.ts, _hasSbomPermission is already populated using the result returned from:However, the value is immediately overridden by a hardcoded assignment:
this._hasSbomPermission = true;This bypasses the actual permission check and always enables SBOM permission in the UI regardless of the user's real project permissions.
Expected Behavior
SBOM permission should rely only on the result returned from
hasProjectPermissions(...)Users without SBOM permission should not receive access through the UI
The temporary hardcoded override should be removed
Possible Fix
Remove:
and verify the permission flow with different project roles/users.