Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-18633

/me/my-views/editDescription may be used by any user to set global description

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: core
    • Environment:
      Windows7 using the integrated webserver using ActiveDirectory authentication and matrix based security.
    • Similar Issues:

      Description

      I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone.

      Could be reproduced:

      This could also be tested by directly opening the URL:
      https://SERVERNAME/me/my-views/editDescription

        Attachments

          Activity

          dominik_ Dominik Schwald created issue -
          dominik_ Dominik Schwald made changes -
          Field Original Value New Value
          Description I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone.

          Could be reproduced:
          - log on as this user
            * main page shows up, but no link to change the description)
          - click on "my views"
            * this will open the URL https://SERVERNAME/me/my-views
              which is redirected to https://SERVERNAME/me/my-views/view/Alle/
            * On this page the global server description is writeable

          This could also be tested by directly opening the URL:
          https://SERVERNAME/me/my-views/editDescription

          I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone.

          Could be reproduced:
          * log on as this user
          ** main page shows up, but no link to change the description)
          * click on "my views"
          ** this will open the URL https://SERVERNAME/me/my-views
          ** which is redirected to https://SERVERNAME/me/my-views/view/Alle/
          ** On this page the global server description is writeable

          This could also be tested by directly opening the URL:
          https://SERVERNAME/me/my-views/editDescription

          raphc Raphael CHAUMIER made changes -
          Assignee Raphael CHAUMIER [ raphc ]
          jglick Jesse Glick made changes -
          raphc Raphael CHAUMIER made changes -
          Assignee Raphael CHAUMIER [ raphc ]
          jglick Jesse Glick made changes -
          Summary User with the right "READ" is able to change main server description /me/my-views/editDescription may be used by any user to set global description
          Labels security lts-candidate security
          URL https://github.com/jenkinsci/jenkins/pull/906
          jglick Jesse Glick made changes -
          Assignee Jesse Glick [ jglick ]
          jglick Jesse Glick made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          jglick Jesse Glick made changes -
          Labels lts-candidate security folders lts-candidate security
          scm_issue_link SCM/JIRA link daemon made changes -
          Status In Progress [ 3 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          olivergondza Oliver Gond┼ża made changes -
          Labels folders lts-candidate security 1.532.1-fixed folders security
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 149943 ] JNJira + In-Review [ 193364 ]

            People

            • Assignee:
              jglick Jesse Glick
              Reporter:
              dominik_ Dominik Schwald
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: