Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2030

Matrix security configuration - Build scheduler not working for non-administrators

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Critical Critical
    • _unsorted
    • None
    • Platform: All, OS: All

      Hudson ver. 1.232-SNAPSHOT (private-07/07/2008 04:20-tomas)

      STEPS to reproduce:
      1) Launch fresh instance of Hudson with fresh home
      2) enable security; set LDAP, configure LDAP server
      3) select matrix based security, for Anonymous grant all permissions except
      Administer
      4) add some LDAP user, grant all permissions (incl. Administer)
      5) under Anonymous, create new job (here are first security clash..see [1])
      6) try to set "Build periodically", you get [2]
      7) User with Administer permissions has no such problems during new job setup...

      SOLUTION:
      Seems like on e.g.
      hudson.triggers.TimerTrigger$DescriptorImpl.doCheck(TimerTrigger.java:62)

      is used
      new FormFieldValidator(req,rsp,true)
      while there should be probably only
      new FormFieldValidator(req,rsp,false) //no need to check for admin here

      It would be good to search Hudson's code for
      new FormFieldValidator(req,rsp,true)
      and reevaluate, where are administrator permission really necessary. I found at
      least two other places, where is no need to check for admin.

      [1]
      Caused by: org.acegisecurity.AccessDeniedException:
      org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken@7ce80b5d:
      Username: anonymous; Password: [PROTECTED]; Authenticated: true; Details:
      org.acegisecurity.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1;
      SessionId: 04b81c34b294b3b4c27ef6f131b77452; Granted Authorities: is missing
      Administer
      at hudson.security.ACL.checkPermission(ACL.java:30)
      at hudson.model.View.checkPermission(View.java:99)
      at hudson.util.FormFieldValidator.process(FormFieldValidator.java:75)
      at hudson.model.Hudson.doItemExistsCheck(Hudson.java:2159)
      ... 43 more

      [2]
      Caused by: org.acegisecurity.AccessDeniedException:
      org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken@7ce80b5d:
      Username: anonymous; Password: [PROTECTED]; Authenticated: true; Details:
      org.acegisecurity.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1;
      SessionId: 04b81c34b294b3b4c27ef6f131b77452; Granted Authorities: is missing
      Administer
      at hudson.security.ACL.checkPermission(ACL.java:30)
      at hudson.model.View.checkPermission(View.java:99)
      at hudson.util.FormFieldValidator.process(FormFieldValidator.java:75)
      at hudson.triggers.TimerTrigger$DescriptorImpl.doCheck(TimerTrigger.java:62)

        1. wrongAdminChecking.patch
          5 kB

            Unassigned Unassigned
            musilt2 musilt2
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: