Portfolio access control doesn't work when a user is member of different teams with different ACL's/projects

[jkvbe]

Current Behavior

I wanted to give user "write" access to a limited set of projects and view access to all the other projects in dependency track. Therefore I created 2 teams. One (teamA) with the permissions allowing to update attributes of projects/vulnerabilities and one (team B) with view only permissions.

In the Portolio Access Control tab, I assigned a limited set of projects to teamA and the remainder of the projects to teamB.

I've made a user member of teamA and teamB.

The user can modify attributes of all the projects now (e.g., vulnerability analysis data)

Steps to Reproduce

1. Create teamA with permissions PORTFOLIO_MANAGEMENT, VULNERABILITY_ANALYSIS and VULNERABILITY_MANAGEMENT
2. Create team B with all VIEW* permissions
3. Assign teamA to projectA and team B to projectB and projectC
4. Assign a user to team A and team B

The user is able to update vulnerability attributes (e.g., analysis data) of project B and C

Expected Behavior

I would have expected that it would refuse updates of vulnerability analsysis data of project B and C

Dependency-Track Version

4.13.3

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

N/A

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

Right, the effective permissions of a user are the sum of permissions across all their teams at the moment. Permissions can't currently be scoped to individual sets of projects.

I gave a high-level explanation of how it currently works in a recent community meeting: https://www.youtube.com/watch?v=_ya4e632ZkI&t=1428s

Admittedly, this should be in our docs.

Being able to have different sets of permissions for projects is planned and we're working on it for the next major version: https://www.youtube.com/watch?v=_ya4e632ZkI&t=2406s