Publishing to Octopus Forbidden

After updating to the most recent server version, 3.16.7, though we were a few behind, none of our projects could publish their NuGet packages from TeamCity. We received the following, or similar when pushing:

Response status code does not indicate success: 403 (Forbidden).

I don’t know for sure, but maybe this is a regression related to 3728? The team that the API user was assigned to showed “All Projects” for the Project Groups field, but we couldn’t push until I explicitly assigned each of our individual project groups. The Roles/Permissions were fine and Projects/Environments both show “Any X”, and no other parameters were changed to cause pushing to work again.

Steps to reproduce would seem to be:

  • Make sure the API user is assigned to a team with “All Projects” only
  • Use the API user credentials to push a package to Octopus

If you need any additional information, please let me know. Thanks!

Hi John,

Thanks for raising this issue.
What version were you on prior to the update ?


That’s a really good question, and had I not just been alerted to low disk space on that machine, I would be able to take a quick look at the previous download. Unfortunately I cleaned them all up and cleared the recycle bin just yesterday. I want to say a safe guess was that we were on 3.16.0 or .1 tops. We were definitely a handful out of date since I had been on vacation a bit over the past few weeks. I looked through the audit log and see where I put Octopus into maintenance and took it out, but no additional details. Maybe consider logging more verbose install/upgrade details to the audit log as well?

Hi John,

I finally got to the bottom of this one.
So in v3.16.5 we fixed a bug ( which may be the reason you are seeing this issue now.
In summary the bug is when a user is a member of a project group which has no projects associated with it, if the user has the other relevant permissions, they can view/modify all projects.

So in the roles screen, when you had selected “All Projects” in the Project groups field, you are saying that you only want this role to include projects in the “All projects” group name.
Yes, the group name is called “All Projects” but it does not literally mean every project in Octopus.
So to fix this, either leave this field blank (which mean include all project groups) or specify the project groups you want.

Hope this makes sense now.

So in short, it has been working for you because of the bug mentioned above, but because we now have fixed the bug, you need to update the list of project groups.


Ahh, that makes sense. I should have read that open issue closer because that would have made more sense. Right now I have all the individual projects assigned explicitly, but I’ll try just leaving that field blank tomorrow. Thanks for the quick response as always!