Skip to content

Developers are unable to view project environment variables #428

New issue
New issue
Closed
#429
Closed
Developers are unable to view project environment variables#428
#429
@Randominty

Description

@Randominty
Randominty
opened on Feb 18, 2025

Describe the bug
A user with developer privileges on a project is unable to view the project's environment variables.

A developer has project:view scope for getEnvVarsByProjectId which should allow the developer to view the project's environment variables without revealing values.

Lagoon CLI does not implement this. Regardless of the presence of the --reveal flag, the CLI always performs the GQL query for revealing values. The CLI only takes --reveal into account when displaying output. This results in developers consistently receiving a Error: graphql: Unauthorized: You don't have permission to "project:viewValue" on "env_var" exception.

To Reproduce

  1. With an account that only has developer access to a project, execute lagoon list variables -p <project>
 ~ » lagoon list variables -p <project> --debug
graphql>> variables: map[input:map[project:<project>]]
graphql>> query: query (
  $input: EnvVariableByProjectEnvironmentNameInput!
){
  getEnvVariablesByProjectEnvironmentName(input: $input) {
    id
    name
    value
    scope
  }
}

graphql>> headers: map[Accept:[application/json; charset=utf-8] Authorization:[Bearer <redacted>] Content-Type:[application/json; charset=utf-8] User-Agent:[lagoon-client: v0.31.4]]
graphql<< {"errors":[{"message":"Unauthorized: You don't have permission to \"project:viewValue\" on \"env_var\"","locations":[{"line":4,"column":3}],"path":["getEnvVariablesByProjectEnvironmentName"]}],"data":{"getEnvVariablesByProjectEnvironmentName":null}}

Error: graphql: Unauthorized: You don't have permission to "project:viewValue" on "env_var"
  1. Manually run the following GQL to confirm that the account could get a response if the correct GQL was used:
query (
  $input: EnvVariableByProjectEnvironmentNameInput!
){
  getEnvVariablesByProjectEnvironmentName(input: $input) {
    id
    name
    scope
  }
}

Response:
{
  "data": {
    "getEnvVariablesByProjectEnvironmentName": [
      {
        "id": <id>,
        "name": "<envvarname>",
        "scope": "global"
      },
...

Expected behavior

  • A developer should be able to run lagoon list variables -p <project> and receive a list of project environment variables without the values being displayed.
  • A developer should receive an exception if they run lagoon list variables -p <project> --reveal.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions