Issue Summary

Non admin users are unable to access projects if view permission is granted to group.

Plan permissions are no longer working .

Initially the issue was reported as, after upgrading Bamboo to 8.1.4 the plan permission of non admin users was messed up. However the same permission issue is seen on a clean install of Bamboo 8.1.4 as well.

It is happening for both Active Directory and internal user directory as well.

Users in particular group are able to access the project, list plans, see the most recent build results, number of tests, but on navigating to plan pages, receive a message stating "Access denied".

Steps to Reproduce

1. Spin up a Bamboo 8.1.4 instance
2. Login as an admin
3. Create a sample project and a plan inside it.
4. Add users via Active directory or create a user via GUI.
5. Add the user to the group.
6. Provide “Access” permission to the group and user.
7. Navigate to project permissions and grant the group “view” permission.
8. Navigate to the plan permissions , via Actions->Configure plan->Permissions . Provide the group view access.
9. Log out as admin
10. Login as the user created via step 4.
11. User can access the project, list plans, see the most recent build results, number of tests.
12. Click on the plan

Note :- Even if we provide admin rights to the group in project and plan permissions , still the plan is not accessible.

Expected Results

Plan details should appear

Actual Results

Users are receiving an error message stating "Access denied".

At this moment, the following log entry appears in atlassian-bamboo.log:

atlassian-bamboo.log:2022-04-07 14:39:12,659 WARN [https-openssl-nio-443-exec-17] [AuthorizationLoggerListener] Authorization failed: org.acegisecurity.AccessDeniedException: Access is denied; authenticated principal: org.acegisecurity.adapters.PrincipalAcegiUserToken@1038be50: Username: EmbeddedCrowdUser{name='security.viewer', displayName='Security Viewer', directoryId=65537}; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_USER; secure object: ReflectiveMethodInvocation: public abstract boolean com.atlassian.bamboo.plan.PlanManager.assertPlanPermission(com.atlassian.bamboo.plan.PlanIdentifier); target is of class [com.atlassian.bamboo.plan.PlanManagerImpl]; configuration attributes: [ACL_BUILD_READ]

Workaround 1

This workaround involves giving elevated access to affected users/groups which gives the highest level of access to the Bamboo instance. It will likely not be suitable for the majority of environments. Please evaluate it carefully within the context of security restrictions that are required for your instance.

• Grant the users or groups global admin access to Bamboo.