Skip to content

Non-admin users can edit project settings — missing role guard on PATCH /projects/:id #346

Description

@sumeetp26

Description

Non-admin users are currently able to edit project settings (e.g., project name, main branch, comparison provider) via the UI and the API. The PATCH /projects/:id endpoint does not enforce an admin-only guard, meaning any authenticated user can modify project-level configuration.

Expected Behavior

Only users with the admin role should be able to update project settings. Non-admin users should receive a 403 Forbidden response when attempting to call PATCH /projects/:id.

Actual Behavior

Any authenticated user can successfully update project settings regardless of their role.

Suggested Fix

Add an @Roles('admin') guard (similar to what is used on user management endpoints) to the update() method in projects.controller.ts:

@Patch(':id')
@UseGuards(JwtAuthGuard, RolesGuard)
@Roles('admin')
update(@Param('id') id: string, @Body() dto: UpdateProjectDto) {
  return this.projectsService.update(id, dto);
}

The frontend should also conditionally hide the settings UI for non-admin users.

Environment

  • Self-hosted on GCP VM via Docker Compose
  • VRT version: 5.1.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions