Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-12080

job configuration corrupted when user isn't admin


    • Similar Issues:


      Let's consider :

      • a user with job configuration rights and no overall admin right
      • a job containing a system groovy build step

      If the user edits the configuration, makes a change (even without altering the system groovy part) and then saves the configuration, an error message is displayed :

      Access Denied
      <username> is missing the Administer permission

      On Job save, Groovy plugin checks for admin permission to save the system groovy script. It may then fail. This should have been checked before rendering UI. The side effect is that the job config is partially saved (without user to know it) and may be corrupted (exception occurs on Project.submit() from builders.rebuildHetero, so job has been partially configured and not saved.

      The job configuration page, when including a system groovy script, should not be editable when user don't have ADMIN permission - Not sure about the cleaner way to implement the ADMIN only configuration

      OR the script should be set read-only for non ADMIN and then only displayed for information, but retrieved from another source than the standard incoming JSON request.



          ndeloof Nicolas De Loof created issue -
          scm_issue_link SCM/JIRA link daemon made changes -
          Field Original Value New Value
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 142352 ] JNJira + In-Review [ 190095 ]
          jglick Jesse Glick made changes -
          Link This issue relates to SECURITY-292 [ SECURITY-292 ]


            • Assignee:
              vjuranek vjuranek
              ndeloof Nicolas De Loof
            • Votes:
              0 Vote for this issue
              0 Start watching this issue


              • Created: