Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-14992

Can add "build other projects" trigger to a project we cannot otherwise configure


    • Similar Issues:


      Not sure if this is actually a bug or not. AbstractProject.doConfigSubmit modifies the publishersList of an upstream project regardless of your permissions on that project. I would expect that you would need to have CONFIGURE permission on it. Not clear that there is a specific security threat from adding a BuildTrigger to an arbitrary project, but it will at a minimum result in a config.xml change from an unauthorized user, which might raise eyebrows.

      BuildTrigger.DescriptorImpl.doCheck also ought to issue an error if you have no CONFIGURE permission. doAutoCompleteUpstreamProjects can probably be left alone - complete everything we can see but show an error if you cannot really touch it.

      Also doCheck neglects to check AbstractProject.isConfigurable as doConfigSubmit does.


          Issue Links


            jglick Jesse Glick created issue -
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Link This issue is related to JENKINS-14411 [ JENKINS-14411 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-16956 [ JENKINS-16956 ]
            jglick Jesse Glick made changes -
            Status Open [ 1 ] Resolved [ 5 ]
            Resolution Not A Defect [ 7 ]
            danielbeck Daniel Beck made changes -
            Link This issue is related to JENKINS-13502 [ JENKINS-13502 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 145711 ] JNJira + In-Review [ 191593 ]


              • Assignee:
                jglick Jesse Glick
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: