I have a similiar problem. In 4.0.0 and 4.0.2, a member of a restricted team can't see an overview of a release, or the release notes:
Team has the User Role 'Project viewer'. They are restricted to a couple of projects.
From the Dashboard, click on a project.
The project page shows a permission error, saying "You do not have permission to perform this action. Please contact your Octopus administrator. Missing permission: ProcessView"
Clicking Overview, Triggers and Release shows the same thing.
We need these team members (external clients) to be able to see details of each release such as release notes, which environment has which release, and when the deployments were done.
Mark Siedle on 17 Nov, 2017 01:06 AM
Thanks for getting in touch and thanks for reporting these so quickly.
We have reproduced and have created a GitHub issue here (marked priority) to get this fixed asap.
Again, thanks for providing detailed steps on how to reproduce these issues, that really helps us :) We're looking into this problem today, so we would expect a fix to go out in the next release (likely Monday/Tuesday).
Mark Siedle on 17 Nov, 2017 03:17 AM
Regarding your particular issue, we meant to add the ProcessView permission to the built-in "Project viewer" role, however this did not get actioned (it will likely be going into next week's release, based on this GitHub issue).
Existing installations (such as yours) will need to manually add the ProcessView permission to your "Project viewer" role, so once you add that, those problems relating to the missing ProcessView should go away.
I tried adding ProcessView to Project viewer but I'm not sure I like that solution. They can now view the process (obviously!) which allows them to re-order steps and alter the lifecycle. They shouldn't have any of that just so they can read release notes in releases.
Mark Siedle on 17 Nov, 2017 03:42 AM
Reordering or any editing should require ProcessEdit.
If you are finding you can edit or re-order child steps with someone you believe to be a "view only" user, can you please confirm the roles assigned to that user (see Configuration > Test permissions, select the user and see if ProcessEdit is listed?
Mark Siedle on 17 Nov, 2017 03:56 AM
Thanks for confirming Paul.
That's a good point though. The UI makes it appear like you can edit, until you hit save and the API stops you. While the API is always the final line of defence for permissions, we'll see if we can improve the front-end so things like this are more in-sync.