Environment info:
- SonarQube Enterprise Edition - Version 10.4.1 (build 88267)
- Deployment: Amazon ECS Container, official SonarQube docker image
Problem:
- User is greeted with “Insufficient privileges” message on project permissions page while still being able to change project-level permissions. This causes confusion and the user doesn’t know if something went wrong or if the permission changes did not register etc.
Reproduction:
- As a user with project-level admin privileges go to “Project Settings” → “Permissions”.
- “Insufficient privileges” error banner is shown on the top of the page.
Findings/notes:
-
The user has project-level Admin permissions to the project and is able to change permissions to the project.
-
With the browser’s dev tools I can see that API calls to “api/system/info” are failing with a status 403 forbidden and a response “{“errors”:[{“msg”:“Insufficient privileges”}]}”
- According to the API documentation the “api/system/info” API call requires global Admin permissions and thus is failing
-
With a System Admin user the API call is also made but does not cause an error.
Desired outcome:
- We know why this API call is sent at this situation.
- We know how to stop this from happening and confusing our users.