Not able to upload a bom without ACCESS_MANAGEMENT permission when portfolio access control is enabled

[thucke]

Current Behavior

Having a team with the following permissions:

• BOM_UPLOAD
• PORTFOLIO_MANAGEMENT
• PROJECT_CREATION_UPLOAD
• VIEW_POLICY_VIOLATION
• VIEW_PORTFOLIO
• VIEW_VULNERABILITY
• VULNERABILITY_ANALYSIS

a new BOM could be uploaded to a specific parent project via API (regulary using maven plugin io.github.pmckeown.dependency-track-maven-plugin).

After portfolio access control has been activated the upload fails until the team got ACCESS_MANAGEMENT permission.
This is INHO a risk for access control as members having this additional permission could grant themselfes or others any permission.

Steps to Reproduce

1. setup a team with the upper mentioned permissions
2. add an empty project that should be parent for new uploads
3. do an upload of a BOM via API behond the new parent project ==> success
4. activate portfolio access control and add the parent project to the team used for this test
5. do an upload of a BOM via API behond the prent project ==> fails "forbidden"
6. add ACCESS_CONTROL to the team permissions
7. do an upload of a BOM via API behond the prent project ==> success

Expected Behavior

Publishing new BOMs to Dependency Track via API should be possible without having ACCESS_CONTROL permission even when portfolio access control is enabled.

Dependency-Track Version

4.12.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

N/A

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported