Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-14546

Regular users (others than admin) can't see any nested-views (other than the default one) with role-based authorization strategy activated

    Details

    • Similar Issues:

      Description

      When Role-based Authorization Strategy is applied to Jobs, users others than admin can see their jobs but can't see any Nested-Views (or sub-Nested-views) other than the default one. Only admin user can see all nested views.

        Attachments

          Issue Links

            Activity

            Hide
            aherbe Anthony HERBÉ added a comment -

            Users have "Read" rights on "View" item but don't have "Configure" rights on "View" item. When "Configure" rights on "View" item is checked, regular users can see any nested-views but this configuration is unsafe.

            Show
            aherbe Anthony HERBÉ added a comment - Users have "Read" rights on "View" item but don't have "Configure" rights on "View" item. When "Configure" rights on "View" item is checked, regular users can see any nested-views but this configuration is unsafe.
            Hide
            aherbe Anthony HERBÉ added a comment -

            I think upgrade Jenkins to version 1.467 or greater, will resolve this problem (like it will be mentionned into JENKINS-13429, can you confirm this ?

            Show
            aherbe Anthony HERBÉ added a comment - I think upgrade Jenkins to version 1.467 or greater, will resolve this problem (like it will be mentionned into JENKINS-13429 , can you confirm this ?
            Hide
            jroyer Joël Royer added a comment - - edited

            I have the same problen on my own Jenkins server (Jenkins v1.480, nested View Plugin v1.9).
            I'm admin and I see all nested views. But my regular users can't see it.

            Show
            jroyer Joël Royer added a comment - - edited I have the same problen on my own Jenkins server (Jenkins v1.480, nested View Plugin v1.9). I'm admin and I see all nested views. But my regular users can't see it.
            Hide
            martinkutter Martin Kutter added a comment - - edited

            Problem still remains with Jenkins-1.483, Nested View Plugin 1.8, and 1.9, role-strategy 1.1.2.

            Without View.READ permissions, nested views are not shown as tabs, but can be accessed if the URL's guessed correctly.

            Show
            martinkutter Martin Kutter added a comment - - edited Problem still remains with Jenkins-1.483, Nested View Plugin 1.8, and 1.9, role-strategy 1.1.2. Without View.READ permissions, nested views are not shown as tabs, but can be accessed if the URL's guessed correctly.
            Hide
            martinkutter Martin Kutter added a comment - - edited

            I think this is due to how Jenkins handles read permissions in Views.

            In hudson.security.AuthorizationStrategy#getACL, there's the following code:

            if (!hasPermission && permission == View.READ) {
                return base.hasPermission(a,View.CONFIGURE) || !item.getItems().isEmpty();
            }
            

            The problem here is that for a nested view containing views (and no Jobs), item.getItems().isEmpty() is always true (getItems() only returns TopLevelElements - which [nested] views are not).

            One way to fix this could be to introduce a isEmpty() method in hudson.model.Views - which would return this.getItems.isEmpty(). Subclasses like NestedView from the Nested Views Plugin could override this method, and return true if any of the contained views is not empty.

            Show
            martinkutter Martin Kutter added a comment - - edited I think this is due to how Jenkins handles read permissions in Views. In hudson.security.AuthorizationStrategy#getACL, there's the following code: if (!hasPermission && permission == View.READ) { return base.hasPermission(a,View.CONFIGURE) || !item.getItems().isEmpty(); } The problem here is that for a nested view containing views (and no Jobs), item.getItems().isEmpty() is always true ( getItems() only returns TopLevelElements - which [nested] views are not). One way to fix this could be to introduce a isEmpty() method in hudson.model.Views - which would return this.getItems.isEmpty() . Subclasses like NestedView from the Nested Views Plugin could override this method, and return true if any of the contained views is not empty.
            Hide
            lmcazra Audrey Azra added a comment - - edited

            We are facing the same problem (Jenkins LTS 1.466.2 & Nested View 1.9) [using Project-based Matrix Authorization Strategy]
            Even if View.READ permission is granted, nested views are not visible to regular (non-admin) users;
            As a workaround, we have emailed the affected users the URL to the view (eg: http://jenkins_server/view/VIEWNAME)
            [Note: This issue was not visible when we were running Jenkins 1.450 / Nested view plugin 1.8]

            Show
            lmcazra Audrey Azra added a comment - - edited We are facing the same problem (Jenkins LTS 1.466.2 & Nested View 1.9) [using Project-based Matrix Authorization Strategy] Even if View.READ permission is granted, nested views are not visible to regular (non-admin) users; As a workaround, we have emailed the affected users the URL to the view (eg: http://jenkins_server/view/VIEWNAME ) [Note: This issue was not visible when we were running Jenkins 1.450 / Nested view plugin 1.8]
            Hide
            jglick Jesse Glick added a comment -

            JENKINS-13429 was fixed in 1.467. @martinkutter your comment about getACL is missing the point, which is that you need to grant View.READ for people to see the views. The block you quote is only for backward compatibility with old versions of Jenkins that did not define View.READ at all.

            Show
            jglick Jesse Glick added a comment - JENKINS-13429 was fixed in 1.467. @martinkutter your comment about getACL is missing the point, which is that you need to grant View.READ for people to see the views. The block you quote is only for backward compatibility with old versions of Jenkins that did not define View.READ at all.
            Hide
            martinkutter Martin Kutter added a comment -

            The issue is not fixed in Jenkins 1.467.

            I'm on 1.480.3-LTS with Role Strategy plugin 1.1.2 and Nested View Plugin 1.8.

            We have several top-level-views, which are only shown, when a user has the (global) View.READ permission. They are not shown as tabs in the UI, but can be accesed by directly invoking the view's URL. These views are of the type "Nested View" and do not contain other jobs.

            This means that the "backward compatibility" trick in JENKINS-3681 does not work, when a view contains only other views (and no jobs).

            A user can either see all views (by means of the View.READ) permission, or only views containing Jobs.

            Show
            martinkutter Martin Kutter added a comment - The issue is not fixed in Jenkins 1.467. I'm on 1.480.3-LTS with Role Strategy plugin 1.1.2 and Nested View Plugin 1.8. We have several top-level-views, which are only shown, when a user has the (global) View.READ permission. They are not shown as tabs in the UI, but can be accesed by directly invoking the view's URL. These views are of the type "Nested View" and do not contain other jobs. This means that the "backward compatibility" trick in JENKINS-3681 does not work, when a view contains only other views (and no jobs). A user can either see all views (by means of the View.READ) permission, or only views containing Jobs.
            Hide
            brainbug Brain Bug added a comment - - edited

            I'm on 1.480.3-LTS with Role Strategy plugin 1.1.2 and Nested View Plugin 1.9.

            Martin Kutter: "These views are of the type "Nested View" and do not contain other jobs"
            => I created a dummy job on my nested view as a direct child but still the nested view is not visible for users who have the rights.

            But yes, if you know the Links (of the Job, the Nested View or a Subview) you have access to them.

            Show
            brainbug Brain Bug added a comment - - edited I'm on 1.480.3-LTS with Role Strategy plugin 1.1.2 and Nested View Plugin 1.9. Martin Kutter: "These views are of the type "Nested View" and do not contain other jobs" => I created a dummy job on my nested view as a direct child but still the nested view is not visible for users who have the rights. But yes, if you know the Links (of the Job, the Nested View or a Subview) you have access to them.
            Hide
            ntshako Hannes Kogler added a comment -

            We have the same problems when using both of the plugins.

            Jenkins v1.518
            Role-based Authorization Strategy Plugin v1.1.2
            Nested View Plugin v1.10

            regardless if the jobs of the nested views have jobs or not. Users with standard permissions cannot access the nested Views and only see those jobs through the All view.
            Would be great if anybody fixes this, because I don't want to grant every user the admin permissions to see all views..

            Show
            ntshako Hannes Kogler added a comment - We have the same problems when using both of the plugins. Jenkins v1.518 Role-based Authorization Strategy Plugin v1.1.2 Nested View Plugin v1.10 regardless if the jobs of the nested views have jobs or not. Users with standard permissions cannot access the nested Views and only see those jobs through the All view. Would be great if anybody fixes this, because I don't want to grant every user the admin permissions to see all views..
            Hide
            yoichi Yoichi Nakayama added a comment -

            What is the remaining problem?

            A user assigned to role with Overall.Read & Job.Read & View.Read
            can see nested views.

            Tested on

            • Jenkins 1.538
            • Role-based Authorization Strategy 2.1.0
            • Nested View Plugin 1.13
            Show
            yoichi Yoichi Nakayama added a comment - What is the remaining problem? A user assigned to role with Overall.Read & Job.Read & View.Read can see nested views. Tested on Jenkins 1.538 Role-based Authorization Strategy 2.1.0 Nested View Plugin 1.13
            Hide
            mateofacu Facundo Mateo added a comment - - edited

            Yoichi the problem is that we don't want to give that kind of permission to all users.
            A standar user with just a job specific permission (not global) should view the tab if it contains any allowed job in a subview

            Show
            mateofacu Facundo Mateo added a comment - - edited Yoichi the problem is that we don't want to give that kind of permission to all users. A standar user with just a job specific permission (not global) should view the tab if it contains any allowed job in a subview
            Hide
            yoichi Yoichi Nakayama added a comment -

            Facundo,
            The behavior described in my previous post is same for ListView and AllView,
            then the remaining problem is not specific to NestedView.

            Show
            yoichi Yoichi Nakayama added a comment - Facundo, The behavior described in my previous post is same for ListView and AllView, then the remaining problem is not specific to NestedView.
            Hide
            oblongzebra oblongzebra added a comment -

            Small workaround, if you have a link for the page, a normal user can access the page. (btw we are using 1.534 and are experiencing this problem)

            Show
            oblongzebra oblongzebra added a comment - Small workaround, if you have a link for the page, a normal user can access the page. (btw we are using 1.534 and are experiencing this problem)
            Hide
            s0undt3ch Pedro Algarvio added a comment -

            Using 1.5.45, this is still present for, at least, list views.

            Show
            s0undt3ch Pedro Algarvio added a comment - Using 1.5.45, this is still present for, at least, list views.
            Hide
            jroyer Joël Royer added a comment - - edited

            Issue is still present in 1.549!!!

            I have a nested view, with one sub-view (type list view).

            Admin users can see nested view and its sub-view, and all jobs associated with it.
            Regulars users (with only Global Read permission), can't see the nested view. But they can see jobs in the tab "All".

            The only way I found is to assign View Read Permission to regulars users. But they can see all views, even those without jobs.

            Show
            jroyer Joël Royer added a comment - - edited Issue is still present in 1.549!!! I have a nested view, with one sub-view (type list view). Admin users can see nested view and its sub-view, and all jobs associated with it. Regulars users (with only Global Read permission), can't see the nested view. But they can see jobs in the tab "All". The only way I found is to assign View Read Permission to regulars users. But they can see all views, even those without jobs.
            Hide
            mcklaus Klaus Azesberger added a comment - - edited

            I'm not sure yet, but we recently discovered that the folder plugin (there is also a non-enterprise one) could maybe become handy in these cases instead of using the nested view plugin. hth

            Show
            mcklaus Klaus Azesberger added a comment - - edited I'm not sure yet, but we recently discovered that the folder plugin (there is also a non-enterprise one) could maybe become handy in these cases instead of using the nested view plugin. hth
            Hide
            harrygg Harry G. added a comment -

            True, we also use Folders Plugin. It avoids this bug, but introduces a different concept - with some other advantages, but lots of changes.

            Show
            harrygg Harry G. added a comment - True, we also use Folders Plugin. It avoids this bug, but introduces a different concept - with some other advantages, but lots of changes.
            Hide
            mulder847 Daniel Mueller added a comment -

            i created a pull request to fix this bug: https://github.com/jenkinsci/nested-view-plugin/pull/20

            the fix involves implementing the hasPermission method in the nestedview class. the method checks if any of the containing sub views returns true for hasPermission, if none returned true, it calls super.hasPermission. this allows configuration of empty nested views.

            Show
            mulder847 Daniel Mueller added a comment - i created a pull request to fix this bug: https://github.com/jenkinsci/nested-view-plugin/pull/20 the fix involves implementing the hasPermission method in the nestedview class. the method checks if any of the containing sub views returns true for hasPermission, if none returned true, it calls super.hasPermission. this allows configuration of empty nested views.

              People

              • Assignee:
                mindless Alan Harder
                Reporter:
                aherbe Anthony HERBÉ
              • Votes:
                16 Vote for this issue
                Watchers:
                24 Start watching this issue

                Dates

                • Created:
                  Updated: