Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-31649

SECURITY-186 regression: non-item tasks hidden

    Details

    • Similar Issues:

      Description

      The fix for SECURITY-186 hides a lot of other tasks that should not be hidden... rather than testing for tasks that implement Item it should be checking against tasks that implement AccessControlled so that tasks can still remain visible

        Attachments

          Issue Links

            Activity

            stephenconnolly Stephen Connolly created issue -
            Show
            stephenconnolly Stephen Connolly added a comment - https://github.com/jenkinsci/jenkins/pull/1919
            stephenconnolly Stephen Connolly made changes -
            Field Original Value New Value
            Status Open [ 1 ] In Progress [ 3 ]
            stephenconnolly Stephen Connolly made changes -
            Labels lts-candidate
            Hide
            stephenconnolly Stephen Connolly added a comment -
            Show
            stephenconnolly Stephen Connolly added a comment - Daniel Beck WDYT?
            Hide
            danielbeck Daniel Beck added a comment -

            Stephen Connolly Makes sense to me.

            Show
            danielbeck Daniel Beck added a comment - Stephen Connolly Makes sense to me.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Stephen Connolly
            Path:
            core/src/main/java/hudson/model/Queue.java
            http://jenkins-ci.org/commit/jenkins/cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2
            Log:
            [FIXED JENKINS-31649] Check should be against AccessControlled and Permission.READ

            • The previous check was to narrow.
            • We now check on AccessControlled (which is implemented by Item)
            • We now also check on Permission.READ (which is the generic read permission)

            This should allow subtasks who's task may not be an Item to at least implement AccessControlled to alow visibility.

            There remains an open question as to whether tasks that are not AccessControlled should ever be visible in the UI

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Stephen Connolly Path: core/src/main/java/hudson/model/Queue.java http://jenkins-ci.org/commit/jenkins/cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2 Log: [FIXED JENKINS-31649] Check should be against AccessControlled and Permission.READ The previous check was to narrow. We now check on AccessControlled (which is implemented by Item) We now also check on Permission.READ (which is the generic read permission) This should allow subtasks who's task may not be an Item to at least implement AccessControlled to alow visibility. There remains an open question as to whether tasks that are not AccessControlled should ever be visible in the UI
            scm_issue_link SCM/JIRA link daemon made changes -
            Status In Progress [ 3 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Stephen Connolly
            Path:
            core/src/main/java/hudson/model/Queue.java
            http://jenkins-ci.org/commit/jenkins/46ef3a5776b9a60a1e5d364c29afda01fa09faed
            Log:
            Merge pull request #1919 from stephenc/jenkins-31649

            [FIXED JENKINS-31649] Check should be against AccessControlled not Item

            Compare: https://github.com/jenkinsci/jenkins/compare/23276180209b...46ef3a5776b9

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Stephen Connolly Path: core/src/main/java/hudson/model/Queue.java http://jenkins-ci.org/commit/jenkins/46ef3a5776b9a60a1e5d364c29afda01fa09faed Log: Merge pull request #1919 from stephenc/jenkins-31649 [FIXED JENKINS-31649] Check should be against AccessControlled not Item Compare: https://github.com/jenkinsci/jenkins/compare/23276180209b...46ef3a5776b9
            olivergondza Oliver Gondža made changes -
            Labels lts-candidate 1.625.3-rejected
            jglick Jesse Glick made changes -
            Link This issue is blocking SECURITY-186 [ SECURITY-186 ]
            jglick Jesse Glick made changes -
            Labels 1.625.3-rejected 1.625.3-rejected regression
            jglick Jesse Glick made changes -
            Summary SECURITY-186 fix is too aggressive SECURITY-186 regression: non-item tasks hidden
            Hide
            jglick Jesse Glick added a comment -

            Reproducible in 1.625.2 even with no security: create a Workflow job

            node('whatever') {}
            

            and build. You should see an entry in the queue widget, but you do not.

            Show
            jglick Jesse Glick added a comment - Reproducible in 1.625.2 even with no security: create a Workflow job node( 'whatever' ) {} and build. You should see an entry in the queue widget, but you do not.
            jglick Jesse Glick made changes -
            Labels 1.625.3-rejected regression 1.625.3-rejected regression workflow
            Hide
            jglick Jesse Glick added a comment -

            PR 1919 would not fix that. However I could make PlaceholderTask be AccessControlled, in which case a backport of this fix plus a plugin update would correct the regression.

            Show
            jglick Jesse Glick added a comment - PR 1919 would not fix that. However I could make PlaceholderTask be AccessControlled , in which case a backport of this fix plus a plugin update would correct the regression.
            jglick Jesse Glick made changes -
            Labels 1.625.3-rejected regression workflow 1.625.3-rejected permissions regression workflow
            jglick Jesse Glick made changes -
            Remote Link This issue links to "workflow PR 258 (Web Link)" [ 13554 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Stephen Connolly
            Path:
            core/src/main/java/hudson/model/Queue.java
            core/src/main/java/hudson/model/queue/AbstractQueueTask.java
            http://jenkins-ci.org/commit/jenkins/e930da45ff4c48dfcaadc57e01485051d2a04b1d
            Log:
            JENKINS-31649 Tidy-up javadoc comments after merge of JENKINS-31649

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Stephen Connolly Path: core/src/main/java/hudson/model/Queue.java core/src/main/java/hudson/model/queue/AbstractQueueTask.java http://jenkins-ci.org/commit/jenkins/e930da45ff4c48dfcaadc57e01485051d2a04b1d Log: JENKINS-31649 Tidy-up javadoc comments after merge of JENKINS-31649
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            CHANGES.md
            aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/ExecutorStepTest.java
            support/src/main/java/org/jenkinsci/plugins/workflow/support/steps/ExecutorStepExecution.java
            http://jenkins-ci.org/commit/workflow-plugin/b9376a9f906dbb142acfe605be9c8358bcd66c3d
            Log:
            JENKINS-31649 When supported by Jenkins core, display queue items to authorized users.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: CHANGES.md aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/ExecutorStepTest.java support/src/main/java/org/jenkinsci/plugins/workflow/support/steps/ExecutorStepExecution.java http://jenkins-ci.org/commit/workflow-plugin/b9376a9f906dbb142acfe605be9c8358bcd66c3d Log: JENKINS-31649 When supported by Jenkins core, display queue items to authorized users.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            CHANGES.md
            aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/ExecutorStepTest.java
            support/src/main/java/org/jenkinsci/plugins/workflow/support/steps/ExecutorStepExecution.java
            http://jenkins-ci.org/commit/workflow-plugin/8dd67dd83e0ff60cdd284ae14e6316006c0eff34
            Log:
            Merge pull request #258 from jglick/PlaceholderTask-visibility-JENKINS-31649

            JENKINS-31649 Integrate with post-SECURITY-186 queue item display policy

            Compare: https://github.com/jenkinsci/workflow-plugin/compare/3d60b260ee0c...8dd67dd83e0f

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: CHANGES.md aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/ExecutorStepTest.java support/src/main/java/org/jenkinsci/plugins/workflow/support/steps/ExecutorStepExecution.java http://jenkins-ci.org/commit/workflow-plugin/8dd67dd83e0ff60cdd284ae14e6316006c0eff34 Log: Merge pull request #258 from jglick/PlaceholderTask-visibility- JENKINS-31649 JENKINS-31649 Integrate with post-SECURITY-186 queue item display policy Compare: https://github.com/jenkinsci/workflow-plugin/compare/3d60b260ee0c...8dd67dd83e0f
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Stephen Connolly
            Path:
            core/src/main/java/hudson/model/Queue.java
            http://jenkins-ci.org/commit/jenkins/b51653d2bfa1a8b4e854bb0991202879e7228da8
            Log:
            [FIXED JENKINS-31649] Check should be against AccessControlled and Permission.READ

            • The previous check was to narrow.
            • We now check on AccessControlled (which is implemented by Item)
            • We now also check on Permission.READ (which is the generic read permission)

            This should allow subtasks who's task may not be an Item to at least implement AccessControlled to alow visibility.

            There remains an open question as to whether tasks that are not AccessControlled should ever be visible in the UI

            (cherry picked from commit cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2)

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Stephen Connolly Path: core/src/main/java/hudson/model/Queue.java http://jenkins-ci.org/commit/jenkins/b51653d2bfa1a8b4e854bb0991202879e7228da8 Log: [FIXED JENKINS-31649] Check should be against AccessControlled and Permission.READ The previous check was to narrow. We now check on AccessControlled (which is implemented by Item) We now also check on Permission.READ (which is the generic read permission) This should allow subtasks who's task may not be an Item to at least implement AccessControlled to alow visibility. There remains an open question as to whether tasks that are not AccessControlled should ever be visible in the UI (cherry picked from commit cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2)
            olivergondza Oliver Gondža made changes -
            Labels 1.625.3-rejected permissions regression workflow 1.625.3-fixed permissions regression workflow
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #4373
            [FIXED JENKINS-31649] Check should be against AccessControlled and Permission.READ (Revision cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2)
            JENKINS-31649 Tidy-up javadoc comments after merge of JENKINS-31649 (Revision e930da45ff4c48dfcaadc57e01485051d2a04b1d)
            [FIXED JENKINS-31649] Check should be against AccessControlled and Permission.READ (Revision b51653d2bfa1a8b4e854bb0991202879e7228da8)

            Result = SUCCESS
            stephen connolly : cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2
            Files :

            • core/src/main/java/hudson/model/Queue.java

            stephen connolly : e930da45ff4c48dfcaadc57e01485051d2a04b1d
            Files :

            • core/src/main/java/hudson/model/Queue.java
            • core/src/main/java/hudson/model/queue/AbstractQueueTask.java

            ogondza : b51653d2bfa1a8b4e854bb0991202879e7228da8
            Files :

            • core/src/main/java/hudson/model/Queue.java
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #4373 [FIXED JENKINS-31649] Check should be against AccessControlled and Permission.READ (Revision cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2) JENKINS-31649 Tidy-up javadoc comments after merge of JENKINS-31649 (Revision e930da45ff4c48dfcaadc57e01485051d2a04b1d) [FIXED JENKINS-31649] Check should be against AccessControlled and Permission.READ (Revision b51653d2bfa1a8b4e854bb0991202879e7228da8) Result = SUCCESS stephen connolly : cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2 Files : core/src/main/java/hudson/model/Queue.java stephen connolly : e930da45ff4c48dfcaadc57e01485051d2a04b1d Files : core/src/main/java/hudson/model/Queue.java core/src/main/java/hudson/model/queue/AbstractQueueTask.java ogondza : b51653d2bfa1a8b4e854bb0991202879e7228da8 Files : core/src/main/java/hudson/model/Queue.java
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_2.0 #5
            [FIXED JENKINS-31649] Check should be against AccessControlled and (Revision cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2)
            JENKINS-31649 Tidy-up javadoc comments after merge of JENKINS-31649 (Revision e930da45ff4c48dfcaadc57e01485051d2a04b1d)
            [FIXED JENKINS-31649] Check should be against AccessControlled and (Revision b51653d2bfa1a8b4e854bb0991202879e7228da8)

            Result = SUCCESS
            stephen connolly : cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2
            Files :

            • core/src/main/java/hudson/model/Queue.java

            stephen connolly : e930da45ff4c48dfcaadc57e01485051d2a04b1d
            Files :

            • core/src/main/java/hudson/model/Queue.java
            • core/src/main/java/hudson/model/queue/AbstractQueueTask.java

            ogondza : b51653d2bfa1a8b4e854bb0991202879e7228da8
            Files :

            • core/src/main/java/hudson/model/Queue.java
            Show
            dogfood dogfood added a comment - Integrated in jenkins_2.0 #5 [FIXED JENKINS-31649] Check should be against AccessControlled and (Revision cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2) JENKINS-31649 Tidy-up javadoc comments after merge of JENKINS-31649 (Revision e930da45ff4c48dfcaadc57e01485051d2a04b1d) [FIXED JENKINS-31649] Check should be against AccessControlled and (Revision b51653d2bfa1a8b4e854bb0991202879e7228da8) Result = SUCCESS stephen connolly : cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2 Files : core/src/main/java/hudson/model/Queue.java stephen connolly : e930da45ff4c48dfcaadc57e01485051d2a04b1d Files : core/src/main/java/hudson/model/Queue.java core/src/main/java/hudson/model/queue/AbstractQueueTask.java ogondza : b51653d2bfa1a8b4e854bb0991202879e7228da8 Files : core/src/main/java/hudson/model/Queue.java
            stephenconnolly Stephen Connolly made changes -
            Status Resolved [ 5 ] Closed [ 6 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 167086 ] JNJira + In-Review [ 209453 ]
            abayer Andrew Bayer made changes -
            Labels 1.625.3-fixed permissions regression workflow 1.625.3-fixed permissions pipeline regression workflow
            abayer Andrew Bayer made changes -
            Labels 1.625.3-fixed permissions pipeline regression workflow 1.625.3-fixed permissions pipeline regression

              People

              • Assignee:
                stephenconnolly Stephen Connolly
                Reporter:
                stephenconnolly Stephen Connolly
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: