User Role mapping isn't restricted


with Nexus 3.34.1-01 (Anonymous is disabled), i don’t understand why users (ldap or local) with restricted role :


Could browse/read/download artefact from others repositories like npm hosted, python hosted (all repositories in fact)

Thank you for your help

Best regards

Hi Stef,
To keep it simple, let’s focus on locally defined users first. Can you show us all roles assigned to the local user and all permissions of those roles, please?
You may consider creating a new local user (and verify that it’s reproducing your issue), so that you don’t have to leak your repository names.

Hi Dawid,

same issue with new user.

Details Bellow :

Thank you for your help.

Best regards

I’ve just tested this scenario on my instance running 3.34.1-01 and I can’t reproduce your issue. Is there any chance that you have the same user present in multiple realms (e.g., local and LDAP)?
When you say that unauthorised user can browse/read/download is that using the web UI or a native client (e.g. npm, maven, etc)?

Hi Dawid,

the user ‘test’ is only present localy not on ldap.

The local user access through web UI and could ‘search/browse’ all repositories (npm, docker …), even if the role limits to specific maven repositories.

Best regard

Sorry, I am not able to reproduce this issue. If you’re a professional (licensed) customer, please use the support channels. If you are not a licensed customer and you believe this is a bug in our product, you can file a bug report in our JIRA. Can you send the team a support zip to help analyse your issue. It is preferred if you can reproduce the issue first so we can see full logging at the time of occurrence.

1 Like

Hi Dawid,

thanks fort your reply.

Best Regards