Hi guys,
We run Octopus 3.8.8. We have a team called Variables editor
. This team has these permissions:
- Edit non-environment scoped variables belonging to a project or library variable set (restrictable to projects)
- Edit variables belonging to a project or library variable set (restrictable to projects, environments)
- View non-environment scoped variables belonging to a project or library variable set (restrictable to projects)
- View variables belonging to a project or library variable set (restrictable to projects, environments)
All these permissions are not scoped by environment or projects.
And we today faced an issue that user from Variables editor
team could not edit Script Modules.
When user opens script module he sees only a dummy script (see an attached screenshot). I have done a little investigation. When I open that script, I see everything normally (600 lines of Powershell), and when I press Save
button Octopus run those requests:
- GET api/upgradeconfiguration
- GET api/variables/variableset-LibraryVariableSets-362
- POST api/variables/variableset-LibraryVariableSets-362
- GET api/variables/variableset-LibraryVariableSets-362
I asked users from Variables editor
team to run all those actions. Here is the result:
- GET api/upgradeconfiguration. Octopus returns an error
Request .../api/upgradeconfiguration Request Method:GET Status Code:403 { "ErrorMessage": "You do not have permission to perform this action. Please contact your Octopus administrator. Missing permission: AdministerSystem", "HelpText": "This action requires permission to perform system-level configuration tasks and access control. None of your teams have this permission. Teams that have enough permission include: Bots: ThugKiller and Octopus Administrators." }
- GET api/variables/variableset-LibraryVariableSets-362. Runs normally. User get json with all 600 lines of Powershell.
- POST api/variables/variableset-LibraryVariableSets-362. Didn’t try, but I think it should work fine too.
I think that there is a bug that variable editors doesn’t have permissions to change script modules. This is also strange as only Administrator can change script modules.
I’m not sure if these issues are related, but I’ve found on Github bug which could bring this behaviour: https://github.com/OctopusDeploy/Issues/issues/3038
Kind regards,
Denis Titusov