Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-14992

Can add "build other projects" trigger to a project we cannot otherwise configure

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Not sure if this is actually a bug or not. AbstractProject.doConfigSubmit modifies the publishersList of an upstream project regardless of your permissions on that project. I would expect that you would need to have CONFIGURE permission on it. Not clear that there is a specific security threat from adding a BuildTrigger to an arbitrary project, but it will at a minimum result in a config.xml change from an unauthorized user, which might raise eyebrows.

      BuildTrigger.DescriptorImpl.doCheck also ought to issue an error if you have no CONFIGURE permission. doAutoCompleteUpstreamProjects can probably be left alone - complete everything we can see but show an error if you cannot really touch it.

      Also doCheck neglects to check AbstractProject.isConfigurable as doConfigSubmit does.

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            Not a bug as such, but JENKINS-16956 discusses better ideas.

            Show
            jglick Jesse Glick added a comment - Not a bug as such, but JENKINS-16956 discusses better ideas.

              People

              • Assignee:
                Unassigned
                Reporter:
                jglick Jesse Glick
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: