Deployment-only access is not working
Problem
It seems that the start/play button is disabled for manual jobs that triggers a dynamically generated child pipeline, even when the user has access to the protected environment specified for that child job.
In the following examples, the user had reporter
access to a group that was invited to a project with a reporter
access as well. The group itself had deploy access to the protected environment. According to our documentation, this user should have the ability to run the deployment and the button should be clickable.
However, in both examples, the button was disabled. See below.
configuration
Eric'sconfiguration
Brie'sNote: according to this comment, the issue is likely not specific to the reporter
role, but happens for all non-maintainers with the same access as described in the steps below.
Steps to reproduce
You can reproduce this issue by following the steps below:
- Create a new group (e.g.
group_1
). - Create a new user (e.g.
user_1
). - Add the user to the group as a
reporter
. - Create a new project in a different group (e.g.
group 2
). - Create an environment in the project (e.g.
production
). - Invite
group_1
to the project as areporter
. - Protect the environment by making
group_1
allowed to deploy (see documentation). - Run a pipeline using either configuration provided (check comments linked below).
- Log in using
user_1
credentials and validate that start/play button appears but is disabled.
Check comments here and here for further information.
Proposal
The fix is likely shared between backend and frontend.
It seems that the button is disabled whenever the job (whether it is an instance of Ci::Build
or Ci::Bridge
) does not have action
defined in the GraphQL query result used by job_item.vue
. The proposal is to remove (not allowed)
from the label, and ensure the job has an action
object whenever a non-maintainer user/group has deployment only access to a protected environment.