-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tenant Variables view-able/update-able for Environments not scoped in the associated Team when logged-in User is associated with Multiple Teams/User Roles #4474
Comments
May relate to another existing issue regarding permissions; |
On top of that, what I did was to have 3 users Both My gut feeling is the permission system might just put all permissions from every role of the teams into the same bag and ignore the scoping. E.g. the environment scoped is being ignored in this case |
Release Note: Fix a bug where environment scoped users without VariableEdit permission can save variable |
This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately. |
Version:
Tested and replicated in Octopus version 2018.3.13
Issue:
The logged-in user is able to view/update/save variable values within the
Tenant Variables
area for Environments that do not exist within their associated Team scoping.This occurs in situations where the logged-in Users also belongs to multiple teams where one of the Teams has the
VariableEdit
permission forVariableView
permissions exist for the environment.Replication Steps:
Multi-Tenant Deployments enabled
Testing
&UAT
);Create a Test Octopus User
Create two Teams based on the Permissions information specified below and associate the newly created User with these Teams.
Login to Octopus as the newly created User
Navigate to
Tenants
>Variables
In this area it's possible to view/update/save variables belonging to environments that are not specified within the
Team
that has theUserRole
required containing theVariableEdit
permissionThe expected behavior here would be still be able to view the variable but updating/saving should not be an option;
Permissions Information:
User Roles:
User Role - Test Editor
User Role - Test Reviewer
Teams:
Team - Test Editor
Team - Test Reviewer
Test Permissions - Export
Source:
https://help.octopus.com/t/a-user-can-edit-environment-scoped-variable/19645
The text was updated successfully, but these errors were encountered: