| Title | theonedev onedev 15.05 BOPLA |
|---|
| Description | Issue 03 — Default Branch Modification Protected Only by WriteCode
Risk Summary
The REST API for changing project.defaultBranch currently appears to require only WriteCode permission.
However, the default branch acts as a project-level control-plane attribute influencing workflow automation, branch selection logic, and default execution targets.
The current Web UI already restricts this operation to project-management-level capability, resulting in inconsistent authorization semantics between UI and REST paths.
|
|---|
| Source | ⚠️ https://www.cnblogs.com/aibot/p/19994142 |
|---|
| User | Anonymous User |
|---|
| Submission | 05/08/2026 08:30 (1 month ago) |
|---|
| Moderation | 06/06/2026 00:21 (29 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 369020 [theonedev up to 15.0.5 REST API default-branch project.defaultBranch improper authorization] |
|---|
| Points | 20 |
|---|