Privileges based on content selectors not working correctly

Sonatype Nexus Repository
1

We need to separate permissions in our repositories on a per team basis. Therefore, I am trying to create content selectors to allow our teams to maintain their own docker images.
Pushing works like a charm, problems arise when trying to setup selective permissions for deleting images from the registry.

I have setup a content selector so teams can browse the registry:

format == "docker" and (
  path == "/" or
  path == "/v2/"
)

And several that are to be used for allowing them to delete their images (which is also the selector used for pushing):

format == "docker" and path =^ "/v2/team1/"

Then, I created 2 privileges:

  1. ‘browse_repo’ using first selector and action ‘Browse’
  2. ‘team1_maintenance’ using second selector and action ‘Delete’

The problem I now have, is that ‘team1’ is only able to browse the tree to ‘/v2/team1/’, but they are able to delete the whole registry by selecting ‘v2’ in the tree and clicking ‘Delete folder’.

When I remove the second privilege, the team can only see ‘/v2/’, but are correctly not able to delete anything.
Removing the first privilege, makes it so they can’t browse at all!

Am I doing something wrong here? How can I configure it correctly to let my teams see all their images in the registry, but not allow them to delete the images that are not theirs?

2

Update:

It appears the images from the other teams are not deleted, they are however not visible in the browse tree anymore! The above setup apparently breaks the repository browse. I was able to rebuild this with the repair task, but this shouldn’t have been necessary if the content selector privileges worked correctly.

3

The browse tree is derived from the assets, its only changed after changes to assets occur.

4

Then I guess triggering a delete did do something to the assets, though they were not actually deleted. I find it even worse that they were hidden, because I was not able to see anything (including new uploads!) from any of the folders that were hidden by this delete.
But imho the biggest issue here is what I wrote in the original post, that it is even possible to ‘delete’ the tree even though the user should not have been allowed to do so!