woodpecker-ci/woodpecker

Cannot see org/group linked secrets on repo despite having write access

Opened this issue · 8 comments

Component

web-ui

Describe the bug

Hi,

I am not able to see secrets assigned to an org or groups that I am a part of in a repository where I have write access.

I can see secrets if I'm set as a Woodpecker administrator, as a regular user, I can use those secrets but the list appears empty.

I should see secrets on the settings > secrets page of a repository which I am an admin of in the forge.

To note :
When I go to settings > secrets, there is an error popping up : ": user not authorized".
The repository is placed in an organization where I have write access permissions. When I try to go back to the org by clicking on its name, the ": user not authorized" pop-up again and the list is empty.

Steps to reproduce

  1. Create a repository in an organization where you have write access
  2. Enable it on woodpecker
  3. Go to settings then secrets

Expected behavior

I should be able to see secrets linked to organizations and groups that I am a part of without being a Woodpecker admin on repositories that I'm a administrator of.

System Info

Woodpecker 2.8.0

Additional context

No response

Validations

  • Read the docs.
  • Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
  • Checked that the bug isn't fixed in the next version already [https://woodpecker-ci.org/faq#which-version-of-woodpecker-should-i-use]

Are you an admin of the org?

No, but I do have write access on this org.

Afaik you need org admin settings to view the org's secrets. Just write is not enough. I can check that again later

If that's how it works right now, alright but shouldn't I (even as a reader) be able to see the secrets available on a repo ?

Cannot reproduce on next-21755bef4e.

I should see secrets on the settings > secrets page of a repository which I am an admin of in the forge.

I am an admin in the forge
Screenshot 2024-12-10 1
Screenshot 2024-12-10 2

of a repository
Screenshot 2024-12-10 3

I can see secrets on the settings page
Screenshot 2024-12-10 4

@zc-devs You must not be an admin of the forge nor the organisation

You must not be an admin of the forge

Sure
Screenshot 2024-12-10 1

You must not be an admin of the organization

Sure. lucius is not in owners team or any team with org wide administration access.

lucius is in the team-bravo only (I've checked again)

Screenshot 2024-12-10 2

The members of team-bravo (lucius) have an admin access only to the flixnet/eureka repository: ⬆️ see specific repositories, ⬇️ added team-bravo to specific flixnet/eureka repository.

Screenshot 2024-12-10 3

lucius is not an admin in Woodpecker either

woodpecker=# select login, admin from users;
     login     | admin
---------------+-------
 admin         | t
 kate          | f
 john          | f
 lucius        | f
 user1         | f
(5 rows)

Therefore, I believe this perfectly matches the requirements

I should see secrets on the settings > secrets page of a repository which I am an admin of in the forge
repository which I am an admin of in the forge


I am not able to see secrets assigned to an org or groups that I am a part of in a repository where I have write access

And if we are going to analyze this sentence ⬆️ (which is kinda controversial to the previous one, BTW), then I do not have access to the repo settings (and the secrets part obviously) at all #4516 (which is right, IMO).

Hi !
What I don't understand is that, as long as I'm able to access settings of a repository on woodpecker, I think I should be allowed to see all the secrets that are available to this repository.

Which isn't the case for me :
screenshot-11-12-24-16-19-10