Hi Stef,
To keep it simple, let’s focus on locally defined users first. Can you show us all roles assigned to the local user and all permissions of those roles, please?
You may consider creating a new local user (and verify that it’s reproducing your issue), so that you don’t have to leak your repository names.
I’ve just tested this scenario on my instance running 3.34.1-01 and I can’t reproduce your issue. Is there any chance that you have the same user present in multiple realms (e.g., local and LDAP)?
When you say that unauthorised user can browse/read/download is that using the web UI or a native client (e.g. npm, maven, etc)?
the user ‘test’ is only present localy not on ldap.
The local user access through web UI and could ‘search/browse’ all repositories (npm, docker …), even if the role limits to specific maven repositories.
Sorry, I am not able to reproduce this issue. If you’re a professional (licensed) customer, please use the support channels. If you are not a licensed customer and you believe this is a bug in our product, you can file a bug report in our JIRA. Can you send the team a support zip to help analyse your issue. It is preferred if you can reproduce the issue first so we can see full logging at the time of occurrence.