Non system admin fail to delete environment or Deployment Project that have dedicated agent

Issue Summary

When a non system admin delete an environment or Deployment Project that have dedicated agent, it will fail with permission issue and the environment will disappear from this non system admin view

Steps to Reproduce

1. System Admin userA set Deployment Project View and Edit permission to non system admin userB
2. userB create an environment
3. userB add dedicate agent to the environment
4. userB delete the environment or the Deployment Project

Expected Results

The environment or Deployment Project is deleted

Actual Results

The delete fail with the following error:

Access denied
Sorry, you have insufficient permissions to view the page. Please contact an administrator if you believe this is an error.

The following is thrown in atlassian-bamboo.log:

2019-03-20 22:13:33,543 WARN [http-nio-8085-exec-15] [AuthorizationLoggerListener] Authorization failed: org.acegisecurity.AccessDeniedException: Authentication userB has NO permissions to the domain object com.atlassian.bamboo.deployments.environments.EnvironmentImpl@2ec85b7c; authenticated principal: org.acegisecurity.adapters.PrincipalAcegiUserToken@41b8051f: Username: EmbeddedCrowdUser{name='userB', displayName='userB', directoryId=65537}; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER; secure object: ReflectiveMethodInvocation: public abstract com.atlassian.bamboo.deployments.environments.Environment com.atlassian.bamboo.deployments.environments.service.EnvironmentService.getEnvironment(long) throws org.acegisecurity.AccessDeniedException; target is of class [com.atlassian.bamboo.deployments.environments.service.EnvironmentServiceImpl]; configuration attributes: [ROLE_USER, ROLE_ANONYMOUS, AFTER_ACL_READ]

For Bamboo Specs, the first push that attempts to remove the environment will fail with:

[ERROR] Failed to execute goal com.atlassian.bamboo:bamboo-specs-runner:6.10.4:run (default-cli) on project bamboo-specs: Execution default-cli of goal com.atlassian.bamboo:bamboo-specs-runner:6.10.4:run failed: java.lang.reflect.InvocationTargetException: An error occurred while publishing deployment $DEPLOYMENT_PROJECT: Authentication $USERNAME has NO permissions to the domain object com.atlassian.bamboo.deployments.environments.EnvironmentImpl@13ad1627 -> [Help 1]

Subsequent pushes after that will fail with:

[ERROR] Failed to execute goal com.atlassian.bamboo:bamboo-specs-runner:6.10.4:run (default-cli) on project bamboo-specs: Execution default-cli of goal com.atlassian.bamboo:bamboo-specs-runner:6.10.4:run failed: java.lang.reflect.InvocationTargetException: An error occurred while publishing deployment $DEPLOYMENT_PROJECT: You need READ permission on every deployment environment in order to modify deployment project -> [Help 1]

Notes

• userA still able to see the environment in the Deployment Project
• userB or any other non system admin can't see the environment anymore - restarting Bamboo will make the environment visible by non system admin again
• It will appear confusing, because to an administrator – the permissions will still appear to be granted to other users. Simply toggling these permissions by the administrator will be sufficient to restore them too.
• If that is the only environment in the Deployment Project, the Deployment Project will not be visible by non system admin too.
• If other environment exist in the Deployment Project, the other environment and Deployment Project will still be visible by non system admin

Workaround

Have a Bamboo administrator remove the affected deployment environment.
Ensure that agent dedications on the environment are removed before environment removal by non-admins.