Process tab "Download as JSON" does not require ActionTemplateView permission

modelling

(Andrew Davidson) #1

In the context of a tenanted project, I am attempting to grant a set of less-privileged users rights to run deploys and view logs, but not get into step template details or backing scripts.

Granting ProcessView is required, but this also seems to enable the Process tab’s “Download as JSON” feature, which exports full details of each step. The UI requires ActionTemplateView permission to click into a process step, so I would expect that same permission to be required to either run the export or receive full detail in each step.

We’re running 2018.5.0.


(Reece) #3

Hi Andrew,

Thanks for getting in touch,

I’m sorry to hear that this is causing an issue for you, though I do greatly appreciate your detailed breakdown, this really helps out!

I suppose a better question at this point would be, what information is present in the Download as JSON export that you believe should not be viewable?

When looking at the Export itself the information found inside is largely the same as what can be seen in the Process view with the associating ProcessView permission. With this in mind, I’m not sure if the export functionality is the issue specifically or if perhaps there is information visible via the process steps that you would like hidden?

Any additional input you can provide would be helpful :slight_smile:

On a side note, I noticed that you are currently operating in Octopus version 2018.5.0, I’d recommend updating at your earliest convenience to 2018.5.1 as the aforementioned version was pulled from our website due to a bug that prevented deployment targets from appearing when attempting to filter a deployment to specific machines.

I look forward to hearing back from you, if you require any further assistance or clarification please let me know :slight_smile:

Have a great day!

Kind Regards,

Reece


(Andrew Davidson) #4

This is certainly a bit tricky; there is tension between exposing some step metadata to users with ProcessView but not all step content unless users have ActionTemplateView; at least this is what I infer your intention to be from playing with the permissions and reading their descriptions in Octopus (the User Roles help doc doesn’t get down to the Permission level).

image

It seems inconsistent that a user with ProcessView and ActionTemplateView sees the same step details in the JSON export as a user with ProcessView alone. In the latter case, I can understand metadata being in the export, but not the step contents that are explicitly hidden on the front-end. Put differently, I would generally expect a user with only ProcessView to receive in the JSON export whatever information corresponds to the step blurbs shown on the process view. Perhaps this means removing each step’s Actions element, or perhaps each Action’s Properties…you’ll know your data structures better than I. :slight_smile:

This is definitely a blurry decision–thanks for taking the time.