4.0.2: Permission Problems

kneumei's Avatar

kneumei

16 Nov, 2017 03:08 PM

I've seeing two separate issues with permissions in 4.0.2 that I'm going to combine into one problem discussion. Permissions are complex, so I'll do my best

Unable to deploy a release if DeploymentCreate is scoped to a project

  1. I've got a team set up with "Project Viewer" and "Release Manager" roles. The "Release Manager" role has the "DeploymentCreate" permission, giving ability to deploy an already-created relase
  2. If I don't add a project to the team, I can navigate to my project's release page and see the "Deploy To..." button at the top right (projects/test-project/releases/0.0.1)
  3. When I add a project to the team, I no longer see this button at the top right.

Unable to view/create release if team with Project Viewer role is scoped to a tenant

  1. I've got a team set up same as before ("Project Viewer" and "Release Manager") roles.
  2. I've got the team scoped to a single project
  3. When I go to the project, I see the "Releases" link on the left. I see the "Create Release" button under the Project name on the left. Both of these things are expected
  4. I then add a tenant to the team
  5. When I go back to the project, I now see that I'm missing both the "Create Release" button and the "Releases" link.
  1. 1 Posted by Paul Donovan on 16 Nov, 2017 11:57 PM

    Paul Donovan's Avatar

    I have a similiar problem. In 4.0.0 and 4.0.2, a member of a restricted team can't see an overview of a release, or the release notes:

    Team has the User Role 'Project viewer'. They are restricted to a couple of projects.

    From the Dashboard, click on a project.
    The project page shows a permission error, saying "You do not have permission to perform this action. Please contact your Octopus administrator. Missing permission: ProcessView"
    Clicking Overview, Triggers and Release shows the same thing.

    We need these team members (external clients) to be able to see details of each release such as release notes, which environment has which release, and when the deployments were done.

  2. Support Staff 2 Posted by Mark Siedle on 17 Nov, 2017 01:06 AM

    Mark Siedle's Avatar

    Hi,

    Thanks for getting in touch and thanks for reporting these so quickly.

    We have reproduced and have created a GitHub issue here (marked priority) to get this fixed asap.

    Again, thanks for providing detailed steps on how to reproduce these issues, that really helps us :) We're looking into this problem today, so we would expect a fix to go out in the next release (likely Monday/Tuesday).

    Cheers
    Mark

  3. Support Staff 3 Posted by Mark Siedle on 17 Nov, 2017 03:17 AM

    Mark Siedle's Avatar

    Hi Paul,

    Regarding your particular issue, we meant to add the ProcessView permission to the built-in "Project viewer" role, however this did not get actioned (it will likely be going into next week's release, based on this GitHub issue).

    Existing installations (such as yours) will need to manually add the ProcessView permission to your "Project viewer" role, so once you add that, those problems relating to the missing ProcessView should go away.

    Hope this helps.

    Cheers
    Mark

  4. 4 Posted by Paul Donovan on 17 Nov, 2017 03:24 AM

    Paul Donovan's Avatar

    Hi Mark,

    I tried adding ProcessView to Project viewer but I'm not sure I like that solution. They can now view the process (obviously!) which allows them to re-order steps and alter the lifecycle. They shouldn't have any of that just so they can read release notes in releases.

    Cheers,
    Paul

  5. 5 Posted by Paul Donovan on 17 Nov, 2017 03:25 AM

    Paul Donovan's Avatar

    Sorry, I should correct - they can re-order Child steps.

  6. Support Staff 6 Posted by Mark Siedle on 17 Nov, 2017 03:42 AM

    Mark Siedle's Avatar

    Hi Paul,

    Reordering or any editing should require ProcessEdit.

    If you are finding you can edit or re-order child steps with someone you believe to be a "view only" user, can you please confirm the roles assigned to that user (see Configuration > Test permissions, select the user and see if ProcessEdit is listed?

    Cheers
    Mark

  7. 7 Posted by Paul Donovan on 17 Nov, 2017 03:50 AM

    Paul Donovan's Avatar

    Sorry, you're right. Whilst I could drag the UI widgets to re-order the child steps in the process, when I clicked the Save button I got a ProcessEdit permission required.

  8. Support Staff 8 Posted by Mark Siedle on 17 Nov, 2017 03:56 AM

    Mark Siedle's Avatar

    Thanks for confirming Paul.

    That's a good point though. The UI makes it appear like you can edit, until you hit save and the API stops you. While the API is always the final line of defence for permissions, we'll see if we can improve the front-end so things like this are more in-sync.

    Cheers
    Mark

  9. 9 Posted by josh.j on 17 Nov, 2017 05:01 PM

    josh.j's Avatar

    We're also seeing this issue... We think we've tracked the problem back to when a Team is limited to Project Groups. When we remove Project Groups from a team people are able to deploy.

    While this is an issue because we don't want everyone to have the ability to deploy all team apps in Octopus we've been able to select a few people so our company isn't completely SOL

  10. Support Staff 10 Posted by Nick Josevski on 20 Nov, 2017 11:36 PM

    Nick Josevski's Avatar

    Hi Josh,

    Thanks for the additional confirmation. We're working towards a fix, and will let you all know when we have a fix shipped.

    Regards,
    Nick

  11. Support Staff 11 Posted by Nick Josevski on 21 Nov, 2017 06:18 AM

    Nick Josevski's Avatar

    Hello All,

    We've just released a new version of Octopus 4.

    It has the the fix for the issues listed, and is available for download at: https://octopus.com/downloads/4.0.4

    We greatly appreciate all your time and effort in moving to V4 and for letting us know of the issues as you discover them, hopefully there's no more impacts to your respective workflows.

    But if you do have any trouble please let us know and put in as much details as you think might be useful.

    ​Happy deployments on Octopus :) ​

    ​Regards, ​Nick

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac