Hello,
After upgrading to the latest (2021.1.7316-x64) version, my users are experiencing this permission issue.
Whey trying to push a new package with octo.exe (v7.4.3124):
In my case, a feed with the same name existed in a different space.
And the user had not access to this other space.
This used to work in the version we had previously (2020.1.15-x64).
Is it an intended behavior?
I was not expecting spaces to have adherences one another, as we have distinct administrators on each spaces.
Thank you for contacting Octopus Support. I’m sorry you are having issues with this.
Just to make sure I understand correctly, you have a package that exists in two Spaces. However, your user only has access to one of these Spaces. When the user (using their API key) attempts to push in the package, they are getting the Missing permission: BuiltInFeedPush error for the Space they do not have permissions on. Is this correct?
If this is the case, I can reach out internally to see if this is intended behavior or not.
Yes, that’s correct.
Several months ago, we created a new space, and moved this feed & project to the new space.
We gave this user only access to the new space.
This was working fine, until we upgraded to workaround the last CVE.
I’m going to set up a quick test environment to confirm this behavior on 2021.1.7316. Once that is done, I will reach out internally get more information about this change.
I appreciate your patience while I look into this issue.
I have not been able to successfully reproduce this behavior in my test environment. Could you export and share the user permissions for the user in question via Configuration -> Test Permissions -> select a user -> Export User Permissions? Could you also provide the SpaceId of where the package already existed?
Thank you for getting back to me with the permissions export.
It looks like the Role containing permissions for BuiltInFeedPush is scoped to a few Projects and a Projects Group. I believe this needs to be unscoped for this Space in order for the User to be able to push packages.
Hi @donny.bell ,
This did not make it, but I deleted the projects relying on the Feed on the spaces, #1 and #42 and it unblocked the situation / allowed us to release in space #22.
I’m assuming there has been a permission check change between the 2 releases.
Gilles
There shouldn’t be any correlation between the built-in feeds for each Space. When looking at the Octopus Home directory on the machine Octopus Server is installed on, you should be able to navigate to *OctopusHomeFolder*\Packages\. Here you should see folders for each Space with packages contained in the built-in feed. The same package pushed to two different Spaces will show up in each Space’s feed respectively.
New packages are pushed only to folder built-in feed folders under Space-22 (which is my expectation),
and does not exist in the build-in feed folder under Space-1 (which is also my expectation).
First, as a workaround, tried granting the role on Any spaces/ Any project, and this was also allowing to push.
Then, after deleting the projects, I reverted to the former user role ( with permissions scoped at the space & project levels.), and this works.