search

OctopusDeploy / Issues

| Public | Bug reports and known issues for Octopus Deploy and all related tools
https://octopus.com
161 stars 20 forks source link

Incorrect application of TaskView Permission between environments #7055

Open danefalvo opened 3 years ago

danefalvo commented 3 years ago

Team

Severity

Only one customer is hitting this issue that I am aware of.

Version

Earliest: 2020.4.11 Latest: 2021.2.7462

Latest Version

I could reproduce the problem in the latest build

What happened?

Toggling the TaskView permission in permissions scoped to Environment 2 affected the view permissions on a Project in Environment 1.

Reproduction

  1. Create "User1", "Environment 1" and "Environment 2", also create a Basic "Hello World" project.
  2. Create "Team 1"
  3. Create User Role: Custom Role 1. Select the following permissions (Slightly modified "Project Viewer" Permissions. You may be able to use Default "Project Viewer" permissions.) :

ArtifactView CertificateView DeploymentView EnvironmentView EventView InterruptionView LifecycleView MachinePolicyView ProcessView ProjectGroupView ProjectView ReleaseView RunbookRunView RunbookView TaskView TeamView TenantView TriggerView

Scope Custom Role 1 to Environment 1

  1. Create User Role: Custom Role 2. Select the following permissions:

DeploymentView EnvironmentView EventView InterruptionView LifecycleView ProcessView ProjectGroupView ProjectView ReleaseView RunbookRunView RunbookView TASKVIEW TenantView

Scope Custom Role 2 to Environment 2

At this point - Everything will be working as expected.

  1. With a User that is allowed to deploy that project, to those environments, deploy your project to Environment 1 and Environment 2.

Using "User1", confirm you can see the Deployment Task Summary for both environments.

  1. Modify "Custom Role 2" by removing the "TaskView" permission.

At this point, User1 will get a TaskView permission error on the Projects deployment, for Environment 1

Project1 Error

Error and Stacktrace

No response

More Information

The Error looks different in the versions before taskView permissions were introduced but the reproduction is still the same.Environment 1 Custom Role Permissions Team Scoping

Customer originally reported in 2020.4.11 however reproduced in latest.

Workaround

No response

WilliamHBonney commented 3 years ago

The reason i dont want to assign taskview to the higher environment, is that i cant stop users with access looking in the verbose log and finding out secrets that are leaked by powershell scripts etc that i have no control over.