Let's consider :
- a user with job configuration rights and no overall admin right
- a job containing a system groovy build step
If the user edits the configuration, makes a change (even without altering the system groovy part) and then saves the configuration, an error message is displayed :
<username> is missing the Administer permission
On Job save, Groovy plugin checks for admin permission to save the system groovy script. It may then fail. This should have been checked before rendering UI. The side effect is that the job config is partially saved (without user to know it) and may be corrupted (exception occurs on Project.submit() from builders.rebuildHetero, so job has been partially configured and not saved.
The job configuration page, when including a system groovy script, should not be editable when user don't have ADMIN permission - Not sure about the cleaner way to implement the ADMIN only configuration
OR the script should be set read-only for non ADMIN and then only displayed for information, but retrieved from another source than the standard incoming JSON request.
|Field||Original Value||New Value|
|Status||Open [ 1 ]||Resolved [ 5 ]|
|Resolution||Fixed [ 1 ]|
|Workflow||JNJira [ 142352 ]||JNJira + In-Review [ 190095 ]|
|Link||This issue relates to SECURITY-292 [ SECURITY-292 ]|