New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tenant Variables view-able/update-able for Environments not scoped in the associated Team when logged-in User is associated with Multiple Teams/User Roles #4474
Comments
|
May relate to another existing issue regarding permissions; |
|
On top of that, what I did was to have 3 users Both My gut feeling is the permission system might just put all permissions from every role of the teams into the same bag and ignore the scoping. E.g. the environment scoped is being ignored in this case |
|
Release Note: Fix a bug where environment scoped users without VariableEdit permission can save variable |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately. |
Version:
Tested and replicated in Octopus version 2018.3.13
Issue:
The logged-in user is able to view/update/save variable values within the
Tenant Variablesarea for Environments that do not exist within their associated Team scoping.This occurs in situations where the logged-in Users also belongs to multiple teams where one of the Teams has the
VariableEditpermission forVariableViewpermissions exist for the environment.Replication Steps:
Multi-Tenant Deployments enabledTesting&UAT);Create a Test Octopus User
Create two Teams based on the Permissions information specified below and associate the newly created User with these Teams.
Login to Octopus as the newly created User
Navigate to
Tenants>VariablesIn this area it's possible to view/update/save variables belonging to environments that are not specified within the
Teamthat has theUserRolerequired containing theVariableEditpermissionThe expected behavior here would be still be able to view the variable but updating/saving should not be an option;
Permissions Information:
User Roles:
User Role - Test Editor
User Role - Test Reviewer
Teams:
Team - Test Editor
Team - Test Reviewer
Test Permissions - Export
Source:
https://help.octopus.com/t/a-user-can-edit-environment-scoped-variable/19645
The text was updated successfully, but these errors were encountered: