Deployment Targets visible when scoping Project/Library Variable sets for logged-in Users whose Team is not scoped to the required Environments #4407
Labels
kind/bug
This issue represents a verified problem we are committed to solving
priority
(obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
tag/permissions
Milestone
CVE-2018-9039
Octopus Version:
Tested and replicated in Octopus Version 2018.3.4
Issue:
When scoping Project or Library Variables it's possible to specify specific Deployment Targets.
In this instance, however, Users are able to view deployment targets and create associated Variables despite the logged-in Users Team not being scoped to the appropriate environment.
Replication Steps:
Create a new Octopus user with appropriate permissions to edit/view Project/Library variable sets
Create a Team that is scoped to a specific environment (in this example the
Testingenvironment), see below;In this example, the
Testingenvironment contains only two deployment targetsOffline Package TargetandTestingLogin to Octopus as the created User
Navigate to either the Variables within a Project or Library Set (In this example, this is demonstrating via the Project Variables) and create a new variable, when scoping this variable to a specific target, all targets are viewable not just the two belonging to the associated Team.
It is then possible to save this change as shown below;
Source:
https://help.octopus.com/t/users-role-is-not-filtering-accessible-deployment-targets-based-on-tenant/19298
The text was updated successfully, but these errors were encountered: