Let's consider :

• a user with job configuration rights and no overall admin right
• a job containing a system groovy build step

If the user edits the configuration, makes a change (even without altering the system groovy part) and then saves the configuration, an error message is displayed :

Access Denied
<username> is missing the Administer permission

On Job save, Groovy plugin checks for admin permission to save the system groovy script. It may then fail. This should have been checked before rendering UI. The side effect is that the job config is partially saved (without user to know it) and may be corrupted (exception occurs on Project.submit() from builders.rebuildHetero, so job has been partially configured and not saved.

The job configuration page, when including a system groovy script, should not be editable when user don't have ADMIN permission - Not sure about the cleaner way to implement the ADMIN only configuration

OR the script should be set read-only for non ADMIN and then only displayed for information, but retrieved from another source than the standard incoming JSON request.