Closed
Description
- Gitea version (or commit ref): 1.3.1
- Git version: 2.7.4
- Operating system: Ubuntu 16.04.3
- Database (use
[x]):- PostgreSQL
- MySQL
- MSSQL
- SQLite
- Can you reproduce the bug at https://try.gitea.io:
- Yes (https://try.gitea.io/imo-org)
- No
- Not relevant
- Log gist:
Description
Steps, how I noticed this:
- Create an organization and an organization repository
- Create team, with read access on code, issues, pull requests and releases and add a user to it
- The user now has read access on repository, as defined
- Now create a second team with only write access on wiki and add the same user as in the previous created team
- Now the member has write rights on the whole repository
My intention was to create a team which has read access on code, issues, pull requests and releases and write access on wiki, but I noticed I can't do this in one team, so I thought teams are more like access roles and I can define multiple, with different rights and add the users to all of this teams (am I wrong on this?). So I do the steps as described above and found this weird behavior.
Even if I understand the rights management completely wrong, it shouldn't be possible to compromise the rights of one team, by creating another one with the same member, especially not when team one gives access to different parts of the repository as team two.