Lifecycle automatic promotion and ARC with limited access user

[tothegills]

The bug

When a project is configured with automatic release creation and the first environment in the lifecycle with auto promotion, the permissions of the user that uploads the package to initiate ARC and auto promote are used to create the deployment.

What I expected to happen

The lifecycle promotion should happen regardless of the permissions of the user that uploaded the package.

Steps to reproduce

1. Create a project with ARC and auto promotion to the first environment in the lifecycle
2. Create a user with package push permissions
3. Upload a package to trigger ARC
4. Observe the release does not get deployed to the first environment

Log exerpt

You do not have permission to perform this action. Please contact your Octopus
 administrator. Missing permission: DeploymentView
Octopus.Core.Security.Permissions.OctopusSecurityException: You do not have pe
rmission to perform this action. Please contact your Octopus administrator. Mi
ssing permission: DeploymentView
   at Octopus.Core.Security.Permissions.PermissionsQueryRestrictor.FilterToPar
titionsThatCanViewDocumentType[TDocument](IEnumerable`1 partitions, Boolean st
rictAssertionsForQueries)
   at Octopus.Server.Web.Infrastructure.OctopusQueryExecutor.<GetPartitionsWit
hViewAccess>b__51_0[TDocument](IEnumerable`1 p, IQueryRestrictor qr)
   at System.Linq.Enumerable.Aggregate[TSource,TAccumulate](IEnumerable`1 sour
ce, TAccumulate seed, Func`3 func)
   at Octopus.Server.Web.Infrastructure.OctopusQueryExecutor.GetPartitionsWith
ViewAccess[TDocument]()
   at Octopus.Server.Web.Infrastructure.OctopusQueryExecutor.TableQuery[TDocum
ent]()
   at Nevermore.QueryExecutorExtensions.Query[TDocument](IQueryExecutor queryE
xecutor)
   at Octopus.Server.Communications.Lifecycles.LifecycleEvaluator.<>c__Display
Class11_0.<Evaluate>g__DeployImmediately|0(DeploymentEnvironment environment,
Tenant tenant)
   at Octopus.Server.Communications.Lifecycles.LifecycleEvaluator.Evaluate(Str
ing releaseId, String trigger, User user)
   at Octopus.Server.Communications.Lifecycles.LifecycleEvaluator.NotifyReleas
eCreated(String releaseId, String userId)
   at Octopus.Server.Communications.Packages.PackageEvaluator.CreateRelease(St
ring packageId, String packageVersion, Project project, DeploymentProcess depl
oymentProcess, String channelId, Feed builtInFeed)
   at Octopus.Server.Communications.Packages.PackageEvaluator.Evaluate(String
packageId, String packageVersion)

Affected versions

Octopus Server: 2019.1.0

Links

https://secure.helpscout.net/conversation/789435400/40075/

[tothegills]

Release note: Automatic lifecycle promotion after automatic release creation works regardless of the permissions of the user that pushed the package, fixing an issue introduced in 2019.1.0

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.