Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-18884

Seperate Permission for People View to close Security Hole with AD Plugin

    Details

    • Similar Issues:

      Description

      Even when choosing the most restricted user rights (Role Plugin: Global Role only 1 Read), it is possible for every user to view the Jenkins User Id AND the name of the user (see screenshots).
      Working with an Active Directory for authentication, this means its possible for everybody to get the user names from AD AND the common names (Security Hole with AD Plugin?).

      Goal: create a Permission to allow specific People/Roles to see this User Account info and deny it to all others.

        Attachments

          Issue Links

            Activity

            Hide
            ikedam ikedam added a comment -

            Send a pull request.
            https://github.com/jenkinsci/jenkins/pull/1094

            Not created a new permission, but added configuration that People page requires READ permission or ADMINISTER permission.

            Show
            ikedam ikedam added a comment - Send a pull request. https://github.com/jenkinsci/jenkins/pull/1094 Not created a new permission, but added configuration that People page requires READ permission or ADMINISTER permission.
            Hide
            ikedam ikedam added a comment -

            Another approach.
            https://github.com/jenkinsci/jenkins/pull/1094

            From the beginning, People page does not need to list ALL users in Jenkins, does it?

            Show
            ikedam ikedam added a comment - Another approach. https://github.com/jenkinsci/jenkins/pull/1094 From the beginning, People page does not need to list ALL users in Jenkins, does it?
            Hide
            joker3d Konstantin Trunin added a comment -

            This is a serious security breach - so - not understand why this defect is fixing so long time.

            Show
            joker3d Konstantin Trunin added a comment - This is a serious security breach - so - not understand why this defect is fixing so long time.
            Hide
            vixen03 Maciej M added a comment -

            This issue is really blocking us from switching to Jenkins. Is there any forecast when this could be fixed?

            Show
            vixen03 Maciej M added a comment - This issue is really blocking us from switching to Jenkins. Is there any forecast when this could be fixed?
            Hide
            kothandaraman_sps Kothandaraman added a comment -

            Is out there any way to disable "people" link on the Jenkins Dashboard page ?

            Show
            kothandaraman_sps Kothandaraman added a comment - Is out there any way to disable "people" link on the Jenkins Dashboard page ?

              People

              • Assignee:
                mreinhardt Martin Reinhardt
                Reporter:
                night_shift Annabella Schmidt
              • Votes:
                14 Vote for this issue
                Watchers:
                17 Start watching this issue

                Dates

                • Created:
                  Updated: