Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-1837

Anonymous users are able to reset scores even with security enabled

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: ci-game-plugin
    • Labels:
      None
    • Environment:
      Platform: All, OS: Linux
    • Similar Issues:

      Description

      With ci-game version 1.4, I am able to view the link to reset scores on the
      leader board even if I am logged in anonymously. I do have security enabled in
      matrix mode.

      If I bound the <l:task /> link for the "confirmResetScores" (in sidepanel.jelly)
      with the following check, the link appears only when desired (i.e., when an
      admin is logged in):

      <j:if test="${h.hasPermission(app.ADMINISTER)}">
      <l:task ... href="confirmResetScores" ... permission="${it.CONFIGURE}" />
      </j:if>

      Not sure if the ${it.CONFIGURE} attribute value is not being picked up, or if I
      have a misconfiguration on my server somewhere.

        Attachments

          Activity

          Hide
          redsolo redsolo added a comment -

          Confirmed

          Show
          redsolo redsolo added a comment - Confirmed
          Hide
          redsolo redsolo added a comment -

          Anon user couldnt really reset the score, as there is a permission check in the code as
          well. Still it looked like it was possible, and this will be fixed.

          Show
          redsolo redsolo added a comment - Anon user couldnt really reset the score, as there is a permission check in the code as well. Still it looked like it was possible, and this will be fixed.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : redsolo
          Path:
          trunk/hudson/plugins/ci-game/src/main/resources/hudson/plugins/cigame/LeaderBoardAction/sidepanel.jelly
          http://fisheye4.cenqua.com/changelog/hudson/?cs=10003
          Log:
          [FIXED JENKINS-1837] Removed reset scores link for anonymous users. There were changes in the <task> jelly tag.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : redsolo Path: trunk/hudson/plugins/ci-game/src/main/resources/hudson/plugins/cigame/LeaderBoardAction/sidepanel.jelly http://fisheye4.cenqua.com/changelog/hudson/?cs=10003 Log: [FIXED JENKINS-1837] Removed reset scores link for anonymous users. There were changes in the <task> jelly tag.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : redsolo
          Path:
          trunk/hudson/plugins/ci-game/src/main/java/hudson/plugins/cigame/LeaderBoardAction.java
          trunk/hudson/plugins/ci-game/src/main/resources/hudson/plugins/cigame/LeaderBoardAction/sidepanel.jelly
          http://fisheye4.cenqua.com/changelog/hudson/?cs=10007
          Log:
          JENKINS-1837 Proper implementation so it works with the new <task> tag

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : redsolo Path: trunk/hudson/plugins/ci-game/src/main/java/hudson/plugins/cigame/LeaderBoardAction.java trunk/hudson/plugins/ci-game/src/main/resources/hudson/plugins/cigame/LeaderBoardAction/sidepanel.jelly http://fisheye4.cenqua.com/changelog/hudson/?cs=10007 Log: JENKINS-1837 Proper implementation so it works with the new <task> tag

            People

            • Assignee:
              redsolo redsolo
              Reporter:
              drather19 drather19
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: