Bug/Feature request: Improve cache clearing when changing teams

security

(Chris P) #1

We have AAD integration so when team members are hired, they log in to our OD instance, after which they’re manually added to a team.
At this point, they can usually see a lot of OD widgets, but many of them don’t work properly until the team member logs out and back in again. This was our workaround for over a year until it didn’t work today for our latest dev hire. (They couldn’t save Variables, getting a “VariableEdit Access” error).
An amount of troubleshooting later, apparently they had to clear their Chrome cache before it started working properly.

We do almost exactly the same process with our TeamCity instance, and it doesn’t have any such issues (it starts working properly right away, with no logout/login required). Could you improve Octopus Deploy to work that way too please?

Thanks

Thanks.


(Shannon Lewis) #3

Hi Chris,

Thanks for getting in touch and sorry to hear you’re having issues with the caching. Can I just confirm which version of Octopus you have?

I know that 3.x behaved the way you described, but in the UI re-write for 4.0 this was addressed. I’ve just run some tests locally and the UI in 4.0 is updating immediately for me, the user definitely doesn’t have to log out/in to get updated permissions, it happens on the poll of the dashboard or as soon as you move to another page.

If you are on a 4+, would you be able to describe the team they get defaulted into and the one they get added to? E.g. from what you described maybe they start in a team that has project view and get added to another team that also has variable edit? I’ve just tested this scenario and it’s working as expected for me, but there may be edge cases in there that we haven’t come across.

Regards
Shannon


(Chris P) #4

The version is v2018.3.11
New users don’t get added to any team at all right now. (Our analysts and devs have different setups).

Our devs get assigned Project deployer and Project lead roles for our dev environment… our analysts get DeploymentView, ProjectView, DeploymentCreate and a number of other permissions for their project in Production.
Just today an analyst was added and got a “ProjectView permission” error 'till they used Ctrl-F5.


(Shannon Lewis) #5

I haven’t been able to reproduce the issue you are seeing as yet and just wanted to make sure I’ve understood your scenario correctly.

You mentioned previously that the users were being manually added to a team, can I just double check that you did mean added directly to a team in Octopus?

Users can be related to a team indirectly when using AAD, via roles/groups in AAD, and this does require a log out/in to get updates that have occurred on the AAD side.


(Chris P) #6

Yes, I’m adding them in OD. (We’re not using the group feature of AAD.).
I was able to reproduce this behaviour in v 2018.6.0 with a local OD user.

  1. Add user in OD, but don’t assign to any team
  2. Log in as that user in some browser (I used 3 different browsers on 2 different PCs)
  3. Add the user to a group that would typically be allowed to edit projects, etc.
    At this point Projects on the dashboard appear, but selecting one results in an empty Project displaying “The ProjectView permission is required to view project overview details”. The top bar is also empty, offering just the Dashboard, notifications icon, and user dropdown.

(Shannon Lewis) #7

Thanks for the additional information. My scenario hadn’t been setup quite right but I have been able to reproduce the behavior now. I’ve checked the code and the user’s permissions are definitely only being loaded on session start. I was able to get the refreshed permissions by logging out and back in though, I didn’t have to press Ctrl-F5 like you’re experiencing.

I’m trying to get some clarification from the team on whether the permission cache not refreshing was deliberate. It feels like it should to me and I’ve created an issue that you can follow on GitHub.