Skip to content

fix(rest): guard attachment checkStatus approval behind CLEARING_ADMIN role#4047

Open
Aman-Cool wants to merge 1 commit intoeclipse-sw360:mainfrom
Aman-Cool:fix/attachment-checkstatus-role-check
Open

fix(rest): guard attachment checkStatus approval behind CLEARING_ADMIN role#4047
Aman-Cool wants to merge 1 commit intoeclipse-sw360:mainfrom
Aman-Cool:fix/attachment-checkstatus-role-check

Conversation

@Aman-Cool
Copy link
Copy Markdown
Contributor

@Aman-Cool Aman-Cool commented Apr 7, 2026

While digging through the attachment update flow in the REST layer, I noticed that Sw360AttachmentService lets any user with write access on a release set an attachment's checkStatus to ACCEPTED or REJECTED; no role check at all. This turns out to be a pretty serious gap because ComponentDatabaseHandler calls autosetReleaseClearingState on every release update, and that method promotes the release straight to ClearingState.APPROVED the moment it finds a CLEARING_REPORT or COMPONENT_LICENSE_INFO_XML attachment whose checkStatus is ACCEPTED. So a regular user who created a release could just upload a file, patch the attachment status to ACCEPTED via the REST API, and their release would show up as fully cleared, without a clearing expert ever looking at it.

The fix is small: before applying ACCEPTED or REJECTED to an attachment in both uploadAttachment() and updateAttachment(), we now check that the caller holds at least CLEARING_ADMIN. If they don't, we throw AccessDeniedException which the existing RestExceptionHandler maps to HTTP 403. Nothing else in the flow needed changing; autosetReleaseClearingState itself is fine, it just needed trustworthy input.

  • No new dependencies added.
  • No schema or Thrift IDL changes.

Issue: NA

Suggest Reviewer

@GMishx
(this touches the clearing state promotion logic so anyone familiar with the attachment approval flow would be a good fit.)

How To Test?

  1. Create a release as a regular USER (non-clearing-admin).
  2. Upload an attachment of type CLEARING_REPORT via POST /api/releases/{id}/attachments.
  3. Try patching checkStatus to ACCEPTED via PATCH /api/releases/{id}/attachment/{attachmentContentId} with the same user token; you should get HTTP 403.
  4. Repeat step 3 with a CLEARING_ADMIN token; it should go through and the release clearingState should become APPROVED.
  5. Also verify that setting checkStatus to NOTCHECKED still works for any user with write access (unchanged behaviour).

No new automated tests added in this PR, but the above steps are quick to reproduce manually against a local SW360 instance.

Checklist

Must:

  • All related issues are referenced in commit messages and in PR

@Aman-Cool Aman-Cool marked this pull request as ready for review April 7, 2026 09:31
@Aman-Cool
Copy link
Copy Markdown
Contributor Author

Aman-Cool commented Apr 7, 2026

Hey @GMishx, found this while going through the REST attachment flow; any user with write access on a release can set checkStatus: ACCEPTED on a clearing report attachment via the API, which silently promotes the release to APPROVED through autosetReleaseClearingState. The UI guards this behind a role check but the REST layer never got one. Small fix, two spots in Sw360AttachmentService.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GMishx GMishx Awaiting requested review from GMishx GMishx is a code owner

@KoukiHama KoukiHama Awaiting requested review from KoukiHama KoukiHama is a code owner

@arunazhakesan arunazhakesan Awaiting requested review from arunazhakesan arunazhakesan is a code owner

@ag4ums ag4ums Awaiting requested review from ag4ums ag4ums is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Aman-Cool