| 标题 | theonedev onedev 15.05 BOPLA |
|---|
| 描述 | Issue 03 — Default Branch Modification Protected Only by WriteCode
Risk Summary
The REST API for changing project.defaultBranch currently appears to require only WriteCode permission.
However, the default branch acts as a project-level control-plane attribute influencing workflow automation, branch selection logic, and default execution targets.
The current Web UI already restricts this operation to project-management-level capability, resulting in inconsistent authorization semantics between UI and REST paths.
|
|---|
| 来源 | ⚠️ https://www.cnblogs.com/aibot/p/19994142 |
|---|
| 用户 | Anonymous User |
|---|
| 提交 | 2026-05-08 08時30分 (1 月前) |
|---|
| 管理 | 2026-06-06 00時21分 (29 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 369020 [theonedev 直到 15.0.5 REST API default-branch project.defaultBranch 权限提升] |
|---|
| 积分 | 20 |
|---|