Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-14992

Can add "build other projects" trigger to a project we cannot otherwise configure

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Not sure if this is actually a bug or not. AbstractProject.doConfigSubmit modifies the publishersList of an upstream project regardless of your permissions on that project. I would expect that you would need to have CONFIGURE permission on it. Not clear that there is a specific security threat from adding a BuildTrigger to an arbitrary project, but it will at a minimum result in a config.xml change from an unauthorized user, which might raise eyebrows.

      BuildTrigger.DescriptorImpl.doCheck also ought to issue an error if you have no CONFIGURE permission. doAutoCompleteUpstreamProjects can probably be left alone - complete everything we can see but show an error if you cannot really touch it.

      Also doCheck neglects to check AbstractProject.isConfigurable as doConfigSubmit does.

        Attachments

          Issue Links

            Activity

            jglick Jesse Glick created issue -
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Link This issue is related to JENKINS-14411 [ JENKINS-14411 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-16956 [ JENKINS-16956 ]
            jglick Jesse Glick made changes -
            Status Open [ 1 ] Resolved [ 5 ]
            Resolution Not A Defect [ 7 ]
            danielbeck Daniel Beck made changes -
            Link This issue is related to JENKINS-13502 [ JENKINS-13502 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 145711 ] JNJira + In-Review [ 191593 ]

              People

              • Assignee:
                Unassigned
                Reporter:
                jglick Jesse Glick
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: