Permission error occured when accessing the comments of a specific issue

[k1won]

My actions before raising this issue

• Read/searched the docs
• Searched past issues

Expected Behaviour

• returns all comments of a specific issue

Current Behaviour

• permission error occured (except admin account)

HTTP 403 Forbidden
Allow: GET, OPTIONS
Content-Type: application/vnd.cvat+json
Vary: Accept

{
    "detail": "You do not have permission to perform this action."
}

Possible Solution

• add additional 'key:value'('comments': 'view') to the get_scopes() method in IssuePermission class like below. (apps.iam.permissions.py)

    @staticmethod
    def get_scopes(request, view, obj):
        return [{
            'list': 'list',
            'create': 'create@job',
            'destroy': 'delete',
            'partial_update': 'update',
            'retrieve': 'view',
            'comments': 'view'
        }.get(view.action, None)]

Steps to Reproduce (for bugs)

1. create an issue and comment by task owner
2. access the /api/issues/{id}/comments api endpoint

Context

Your Environment

• Git hash commit (git log -1): cc98ff0
• Docker version docker version (e.g. Docker 17.0.05):
• Are you using Docker Swarm or Kubernetes?
• Operating System and version (e.g. Linux, Windows, MacOS): ubuntu 18.04
• Code example or link to GitHub repo or gist to reproduce problem:
• Other diagnostic information / logs:
  Logs from `OPA` container

    "input": {
        "auth": {
            "organization": {
                "id": 9,
                "owner": {
                    "id": 6
                },
                "user": {
                    "role": "owner"
                }
            },
            "user": {
                "id": 6,
                "privilege": "business"
            }
        },
        "resource": {
            "assignee": {
                "id": null
            },
            "id": 12,
            "job": {
                "assignee": {
                    "id": 4
                }
            },
            "organization": {
                "id": 9
            },
            "owner": {
                "id": 4
            },
            "project": null,
            "task": {
                "assignee": {
                    "id": 7
                },
                "owner": {
                    "id": 6
                }
            }
        },
        "scope": null
    },

Next steps

You may join our Gitter channel for community support.

[nmanovic]

@k1won , thanks for the bug report! Please let me know if you would like to send us a PR. In general if I don't reply in several hours on the comment, I will fix it by myself. I want to have the fix in our next release v2.0.0

[k1won]

@nmanovic, I will send a PR soon. 2022년 3월 4일 (금) 오후 6:22, Nikita Manovich ***@***.***>님이 작성:

…

@k1won <https://github.com/k1won> , thanks for the bug report! Please let me know if you would like to send us a PR. In general if I don't have a reploy from you in several hours, I will fix it by myself. I want to have the fix in our next release v2.0.0 — Reply to this email directly, view it on GitHub <#4416 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADCMFFIKHMVEFXJNEI6O2CDU6HI6FANCNFSM5P4TO37Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>