Access to all projects normally non-accessible via the "All Remaining Projects" selection mode of the portfolio creation

Rodolphe_Dariol · April 8, 2021, 2:18pm

Information:

SonarQube 8.8 EE

Hi,

I have the following problem: via the “All Remaining Projects” selection mode, I can create a portfolio that contains all the projects of the SonarQube server, even the private ones on which I have no permission.

Is this normal behavior?

I was expecting that the remaining projects were at least only the projects which are public or the private ones on which I have at least the “Browse Permission”.

It sounds like to me to be a breach of security to give the ability to anyone to have access, even just the global indicators, to projects via portfolios that they cannot normally access.

On our SonarQube instance, we have turned down the “Create Portfolio” global permission that we gave to all the users.

Thanks in advance for your answers.

Colin_SonarSource · April 9, 2021, 9:27am

Hi there.

Indeed, you face an issue that will hopefully someday be addressed by FR-6. It’s an old ticket, I’ll ping internally to make sure we track your feedback.

system · April 15, 2021, 2:43pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.