search

OctopusDeploy / Issues

| Public | Bug reports and known issues for Octopus Deploy and all related tools
https://octopus.com
162 stars 20 forks source link

Users with the required permissions to clone a project scoped to a specific project group receive a permission warning when cloning a project #8080

Closed IsaacCalligeros95 closed 1 year ago

IsaacCalligeros95 commented 1 year ago

Severity

Low

Version

Latest

Latest Version

I could reproduce the problem in the latest build

What happened?

A user in a team with the required permissions to clone a project scoped to a specific project group shows a warning when trying to clone a project. The project is cloned, however the UI warning and lack of redirect makes it hard to tell the clone has completed. Permission denied warning

This error throws from the IAccessChecker, AssertCanView method with "This action requires permission to view the details of projects. At least one of your teams has this permission in a limited scope, but this doesn't cover the project or environment in question." with the reason "Missing permission: ProjectView".

[sc-42256]

Reproduction

Create a new user in a team with the following two user roles, scope these to a specific project group. Sign in as the user and try clone a project from that project group, the ProjectView permission warning message should show. The project will still be cloned. image (14) image (13)

Error and Stacktrace

NA

More Information

No response

Workaround

Assign the ProjectGroupView permission to the Projects Edit user role. Since this is scoped to the Project Group the user will still only see the that project group.

AdamHollow49 commented 1 year ago

To add more to this, there are more details specific to this issue that the workaround above doesn't solve.

I was in the middle of creating an issue and noticed this one, so thought best to add to it.

Description:

When restricting permissions scoped by Project Group, if a project that was previously cloned into a different group retains a deployment process, an error is thrown requiring ProjectView permissions.

Removing the ProjectGroup scoping from the permissions allows cloning as expected.
Removing the projects deployment process also allows cloning as expected.

Reproduction:

Create two project groups.

Project Group A and Project Group B

Create a project in project Group A titled: Initial Project.
Add a deployment process to this project, a simple deploy a package step is fine.

Clone this project _twice_ to a new project in Group A titled: "Cloned Project A" and a new project in Group B titled: "Cloned Project B".

Create a user role with permissions required to clone a project:

ProjectView
ProjectGroupView
ProjectCreate
ProjectEdit
etc

Create a team and apply this user role to the team, scoping it to Project Group A.

Anyone with _just_ this role will be unable to clone "Cloned Project A" due to "ProjectView" permissions, despite explicit project view permissions.

Once you remove the Project Group scoping from the User Role, the user is able to clone the project.
Deleting the process from the project that you are cloning also allows the project to be cloned.
Octobob commented 1 year ago

:tada: The fix for this issue has been released in:

Release stream Release
2023.1 2023.1.10950
2023.2 2023.2.11991
2023.3 2023.3.2151
2023.4+ all releases