When ACLs are enabled, users with full privileges on a folder receiving Access Denied when trying to create a New Item within a folder. It only occurs during the AJAX validation of Item Name. It does not prevent clicking OK and actually creating the new item.

It appears the regression was introduced in 5.6. I think it is related to the changes to use the standard new page in this pull request: https://github.com/jenkinsci/cloudbees-folder-plugin/pull/48

Reproducer:

• Install Jenkins 1.651.1 (LTS)
• Install folder plugin (5.9)
• In "Configure Global Security"
  • Enable "Jenkin's own user database with sign up" in "Configure Global Security"
  • Save
• Create a user account (bheiskell) and log in
• In "Configure Global Security"
  • Enable "Project-based Matrix Authorization Strategy"
  • Add created user account (bheiskell) with full permissions
  • Check Overall read permission for Anonymous
• Create new folder (Folder)
  • Enable project-based security
  • Add user account (jsmith) to folder with full privileges
• Logout and create a new account (jsmith)
• Click New Item within the folder
  • Type anything in the "Item Name" field