Tenant Variables view-able/update-able for Environments not scoped in the associated Team when logged-in User is associated with Multiple Teams/User Roles

[reecewalsh]

Version:

Tested and replicated in Octopus version 2018.3.13

Issue:

The logged-in user is able to view/update/save variable values within the Tenant Variables area for Environments that do not exist within their associated Team scoping.

This occurs in situations where the logged-in Users also belongs to multiple teams where one of the Teams has the VariableEdit permission for VariableView permissions exist for the environment.

Replication Steps:

1. Create a Test Project with Multi-Tenant Deployments enabled

2. Connect the associated Project to a newly generated Tenant and select two environments (i.e. Testing & UAT);

3. Create a Project Template within the Project;

4. Create a Test Octopus User

5. Create two Teams based on the Permissions information specified below and associate the newly created User with these Teams.

6. Login to Octopus as the newly created User

7. Navigate to Tenants > Variables

8. In this area it's possible to view/update/save variables belonging to environments that are not specified within the Team that has the UserRole required containing the VariableEdit permission

9. The expected behavior here would be still be able to view the variable but updating/saving should not be an option;

Permissions Information:

User Roles:

User Role - Test Editor

User Role - Test Reviewer

Teams:

Team - Test Editor

Team - Test Reviewer

Test Permissions - Export

Source:

https://help.octopus.com/t/a-user-can-edit-environment-scoped-variable/19645

[reecewalsh]

May relate to another existing issue regarding permissions;

#4454

[pawelpabich]

User from tenant scoped team can see machines that do not scope to the tenant

[mayuanyang]

On top of that, what I did was to have 3 users issue4474viewer, issue4474editor and issue4474, issue4474viewer assigned to the Viewer team, issue4474editor to the Editor team and issue4474 for both teams.

Both issue4474viewer and issue4474editor work as expected, only issue4474 has the problem as described above.

My gut feeling is the permission system might just put all permissions from every role of the teams into the same bag and ignore the scoping. E.g. the environment scoped is being ignored in this case

[pawelpabich]

Tenant Variables view-able/update-able for Environments not scoped in the associated Team when logged-in User is associated with Multiple Teams/User Roles

[octoreleasebot]

Release Note: Fix a bug where environment scoped users without VariableEdit permission can save variable

[mayuanyang]

CVE-2018-10581

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.