From 25d8743d44fc0b11d964be4c7f92ffd546c1d5a1 Mon Sep 17 00:00:00 2001
From: Valentijn Scholten <valentijnscholten@gmail.com>
Date: Mon, 2 Mar 2026 12:26:00 +0100
Subject: [PATCH] Always set ACL on new projects when using API key with team

Remove the ACCESS_MANAGEMENT_ACL_ENABLED check from updateNewProjectACL
so that the API key's team is added to newly created projects regardless
of whether the portfolio access control feature is enabled.

This aligns the behaviour with createProject via the Project API, which
applies accessTeams from the request body even when the ACL feature is
disabled. Consistent ACL assignment ensures the uploading/creating team
retains access when the feature is later enabled.

Adds tests for BOM auto-create and Project API create with ACL disabled.

Signed-off-by: Valentijn Scholten <valentijnscholten@gmail.com>
---
 .../persistence/ProjectQueryManager.java       | 16 ++++++++--------
 .../resources/v1/BomResourceTest.java          | 18 ++++++++++++++++++
 .../resources/v1/ProjectResourceTest.java      | 16 ++++++++++++++++
 3 files changed, 42 insertions(+), 8 deletions(-)

diff --git a/src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java b/src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java
index 3f2fbd8d52..97a407a8c6 100644
--- a/src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java
+++ b/src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java
@@ -1032,13 +1032,13 @@ public void deleteProjectsByUUIDs(Collection<UUID> uuids) {
                 );
                 executeAndCloseWithArray(sqlQuery, queryParameter);
 
-                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """                        
+                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """
                     DELETE FROM "DEPENDENCYMETRICS" WHERE "PROJECT_ID" = ANY(?);
                     """.replaceAll(Pattern.quote("= ANY(?)"), inExpression)
                 );
                 executeAndCloseWithArray(sqlQuery, queryParameter);
 
-                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """                        
+                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """
                     DELETE FROM "FINDINGATTRIBUTION" WHERE "PROJECT_ID" = ANY(?);
                     """.replaceAll(Pattern.quote("= ANY(?)"), inExpression)
                 );
@@ -1060,13 +1060,13 @@ public void deleteProjectsByUUIDs(Collection<UUID> uuids) {
                 );
                 executeAndCloseWithArray(sqlQuery, queryParameter);
 
-                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """                        
+                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """
                     DELETE FROM "ANALYSIS" WHERE "PROJECT_ID" = ANY(?);
                     """.replace("= ANY(?)", inExpression)
                 );
                 executeAndCloseWithArray(sqlQuery, queryParameter);
 
-                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """                        
+                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """
                     DELETE FROM "COMPONENT_PROPERTY" WHERE "COMPONENT_ID" IN (
                         SELECT "ID" FROM "COMPONENT" WHERE "PROJECT_ID" = ANY(?)
                     );
@@ -1119,7 +1119,7 @@ WHERE PROJECT.ID IN (SELECT value FROM STRING_SPLIT(?, ','))
                     executeAndCloseWithArray(sqlQuery, queryParameter);
                 }
 
-                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """                        
+                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """
                     DELETE FROM "COMPONENT" WHERE "PROJECT_ID" = ANY(?);
                     """.replace("= ANY(?)", inExpression)
                 );
@@ -1318,7 +1318,7 @@ WHERE PROJECT.ID IN (SELECT value FROM STRING_SPLIT(?, ','))
                     executeAndCloseWithArray(sqlQuery, queryParameter);
                 }
 
-                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """                        
+                sqlQuery = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, """
                     DELETE FROM "PROJECT" WHERE "ID" = ANY(?);
                     """.replace("= ANY(?)", inExpression)
                 );
@@ -1564,7 +1564,7 @@ void preprocessACLs(final Query<?> query, final String inputFilter, final Map<St
 
     /**
      * Updates a Project ACL to add the principals Team to the AccessTeams
-     * This only happens if Portfolio Access Control is enabled and the @param principal is an ApyKey
+     * This only happens if @param principal is an ApyKey
      * For a UserPrincipal we don't know which Team(s) to add to the ACL,
      * See https://github.com/DependencyTrack/dependency-track/issues/1435
      * @param project
@@ -1573,7 +1573,7 @@ void preprocessACLs(final Query<?> query, final String inputFilter, final Map<St
      */
     @Override
     public boolean updateNewProjectACL(Project project, Principal principal) {
-        if (isEnabled(ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED) && principal instanceof ApiKey apiKey) {
+        if (principal instanceof ApiKey apiKey) {
             final var apiTeam = apiKey.getTeams().stream().findFirst();
             if (apiTeam.isPresent()) {
                 LOGGER.debug("adding Team to ACL of newly created project");
diff --git a/src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java b/src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java
index 12ff940988..b8b434cae9 100644
--- a/src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java
+++ b/src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java
@@ -20,6 +20,7 @@
 
 import alpine.common.util.UuidUtil;
 import alpine.model.IConfigProperty;
+import alpine.model.Team;
 import alpine.server.filters.ApiFilter;
 import alpine.server.filters.AuthenticationFilter;
 import com.fasterxml.jackson.core.StreamReadConstraints;
@@ -947,6 +948,23 @@ void uploadBomAutoCreateTest() throws Exception {
         Assertions.assertNotNull(project);
     }
 
+    @Test
+    void uploadBomAutoCreateWithAclDisabledAddsApiKeyTeamTest() throws Exception {
+        initializeWithPermissions(Permissions.BOM_UPLOAD, Permissions.PROJECT_CREATION_UPLOAD);
+        // ACL is not enabled - updateNewProjectACL should still add the API key's team
+        String bomString = Base64.getEncoder().encodeToString(resourceToByteArray("/unit/bom-1.xml"));
+        BomSubmitRequest request = new BomSubmitRequest(null, "AclDisabled Example", "1.0", null, true, false, bomString);
+        Response response = jersey.target(V1_BOM).request()
+                .header(X_API_KEY, apiKey)
+                .put(Entity.entity(request, MediaType.APPLICATION_JSON));
+        Assertions.assertEquals(200, response.getStatus(), 0);
+        Project project = qm.getProject("AclDisabled Example", "1.0");
+        Assertions.assertNotNull(project);
+        assertThat(project.getAccessTeams())
+                .extracting(Team::getName)
+                .containsOnly(team.getName());
+    }
+
     @Test
     void uploadBomAutoCreateWithTagsTest() throws Exception {
         initializeWithPermissions(Permissions.BOM_UPLOAD, Permissions.PROJECT_CREATION_UPLOAD);
diff --git a/src/test/java/org/dependencytrack/resources/v1/ProjectResourceTest.java b/src/test/java/org/dependencytrack/resources/v1/ProjectResourceTest.java
index 13e900d64a..be782af133 100644
--- a/src/test/java/org/dependencytrack/resources/v1/ProjectResourceTest.java
+++ b/src/test/java/org/dependencytrack/resources/v1/ProjectResourceTest.java
@@ -933,6 +933,22 @@ void createProjectAsApiKeyWithAclEnabledAndWithExistentTeamTest() {
         assertThat(qm.getProject("acme-app", null)).satisfies(project ->
                 assertThat(project.getAccessTeams()).extracting(Team::getName).containsOnly(team.getName()));
     }
+
+    @Test
+    void createProjectWithAclDisabledAddsApiKeyTeamTest() {
+        // ACL is not enabled - updateNewProjectACL should still add the API key's team
+        Project project = new Project();
+        project.setName("acme-app-acl-disabled");
+        project.setVersion("1.0");
+        Response response = jersey.target(V1_PROJECT)
+                .request()
+                .header(X_API_KEY, apiKey)
+                .put(Entity.entity(project, MediaType.APPLICATION_JSON));
+        assertThat(response.getStatus()).isEqualTo(201);
+        assertThat(qm.getProject("acme-app-acl-disabled", "1.0")).satisfies(created ->
+                assertThat(created.getAccessTeams()).extracting(Team::getName).containsOnly(team.getName()));
+    }
+
     @Test
     void createProjectAsLatestTest() {
         Project project = new Project();