Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-3575

authenticated users can modify their own scores

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reopened (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: ci-game-plugin
    • Labels:
      None
    • Environment:
      Platform: All, OS: Windows 2000
    • Similar Issues:

      Description

      In the CI game at the moment users seem to be able to modify their own scores on
      the CI game. If it makes any difference, at the moment users here authenticate
      using the active directory plugin.

        Attachments

          Issue Links

            Activity

            Hide
            alex_ouzounis Alex Ouzounis added a comment -

            a user can inspect the element, remove the disabled="disabled" and readonly="readonly", edit the score and save!

            how can we make sure that someone cannot edit the score ?

            Show
            alex_ouzounis Alex Ouzounis added a comment - a user can inspect the element, remove the disabled="disabled" and readonly="readonly", edit the score and save! how can we make sure that someone cannot edit the score ?
            Hide
            laurentf arobase-laurent added a comment -

            Hi, here a solution that I implemented to avoid user to change score :
            1. Edit jelly file “ /ci-game/src/main/resources/hudson/plugins/cigame/UserScoreProperty/config.jelly ”

            <?jelly escape-by-default='true'?>
            <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
                <f:entry title="${%User.IsParticipating}">
                    <f:checkbox name="game.participatingInGame" checked="${h.defaultToTrue(instance.participatingInGame)}" />
                </f:entry>
                <f:entry title="${%User.CurrentScore}">
                    <j:choose>
                        <j:when test="${h.hasPermission(app.ADMINISTER)}">
                            <f:textbox name="game.score" value="${instance.score}" />
                        </j:when>
                        <j:otherwise>
                            <input type="hidden" name="game.score" value="${instance.score}"/>
                            ${instance.score}
                        </j:otherwise>
                    </j:choose>
                </f:entry>
            </j:jelly>
            

            2. Edit java file “ /ci-game/src/main/java/hudson/plugins/cigame/UserScorePropertyDescriptor.java ”

            package hudson.plugins.cigame;
            
            import net.sf.json.JSONObject;
            
            import org.acegisecurity.Authentication;
            import org.kohsuke.stapler.StaplerRequest;
            
            import hudson.Extension;
            import hudson.Util;
            import hudson.model.Hudson;
            import hudson.model.User;
            import hudson.model.UserProperty;
            import hudson.model.UserPropertyDescriptor;
            import jenkins.model.Jenkins;
            
            /**
             * Descriptor for the {@link UserScoreProperty}.
             * 
             * @author Erik Ramfelt
             */
            @Extension
            public class UserScorePropertyDescriptor extends UserPropertyDescriptor {
            
                public UserScorePropertyDescriptor() {
                    super(UserScoreProperty.class);
                }
            
                @Override
                public String getDisplayName() {
                    return Messages.User_Property_Title();
                }
                
                /**
                 * Method kept for backward compability.
                 * Prior to 1.222 the JSONObject formdata was always null. This method
                 * should be removed in the future.
                 * @param req request coming from config.jelly
                 * @return a UserScoreProperty object
                 */
                private UserScoreProperty newInstanceIfJSONIsNull(StaplerRequest req) throws FormException {
                    String scoreStr = Util.fixEmpty(req.getParameter("game.score")); //$NON-NLS-1$
                    if (scoreStr != null) {
                        if (getCurrentUserScore() != getRequestScore(scoreStr)) {
                            if (!Hudson.getInstance().getACL().hasPermission(Hudson.ADMINISTER)) {
                                throw new hudson.model.Descriptor.FormException("Pas de triche !", "game.score");
                            }
                        }
                        return new UserScoreProperty(Double.parseDouble(scoreStr), req.getParameter("game.participatingInGame") != null, null); //$NON-NLS-1$
                    }
                    return new UserScoreProperty();
                }
            
                @Override
                public UserScoreProperty newInstance(StaplerRequest req, JSONObject formData) throws hudson.model.Descriptor.FormException {
            
                    if (formData == null) {
                        return newInstanceIfJSONIsNull(req);
                    }
                    if (formData.has("score")) { //$NON-NLS-1$
                        if (getCurrentUserScore() != getRequestScore(formData.get("score").toString())) {
                            if (!Hudson.getInstance().getACL().hasPermission(Hudson.ADMINISTER)) {
                                throw new hudson.model.Descriptor.FormException("Pas de triche !", "score");
                            }
                        }
                        return req.bindJSON(UserScoreProperty.class, formData);
                    }
                    return new UserScoreProperty();
                }
            
                @Override
                public UserProperty newInstance(User arg0) {
                    return null;
                }
                
                private double getCurrentUserScore() {
                    UserScoreProperty property = User.current().getProperty(UserScoreProperty.class);
                    return property != null ? property.getScore() : 0.0;
                }
            
            	private double getRequestScore(String strNumber) {
            	   if (strNumber != null && strNumber.length() > 0) {
            	       try {
            	          return Double.parseDouble(strNumber);
            	       } catch(Exception e) {
            	       }
            	   }
            	   return 0;
            	}
            }
            

            3. Execute : mvn package
            4. Copy ci-game.jar into

            {JENKINS_HOME}

            /plugins/ci-game/WEB-INF/lib
            5. Restart Jenkins

            Show
            laurentf arobase-laurent added a comment - Hi, here a solution that I implemented to avoid user to change score : 1. Edit jelly file “ /ci-game/src/main/resources/hudson/plugins/cigame/UserScoreProperty/config.jelly ” <?jelly escape-by-default= 'true' ?> <j:jelly xmlns:j = "jelly:core" xmlns:st = "jelly:stapler" xmlns:d = "jelly:define" xmlns:l = "/lib/layout" xmlns:t = "/lib/hudson" xmlns:f = "/lib/form" > <f:entry title= "${%User.IsParticipating}" > <f:checkbox name= "game.participatingInGame" checked= "${h.defaultToTrue(instance.participatingInGame)}" /> </f:entry> <f:entry title= "${%User.CurrentScore}" > <j:choose> <j:when test= "${h.hasPermission(app.ADMINISTER)}" > <f:textbox name= "game.score" value= "${instance.score}" /> </j:when> <j:otherwise> <input type= "hidden" name= "game.score" value= "${instance.score}" /> ${instance.score} </j:otherwise> </j:choose> </f:entry> </j:jelly> 2. Edit java file “ /ci-game/src/main/java/hudson/plugins/cigame/UserScorePropertyDescriptor.java ” package hudson.plugins.cigame; import net.sf.json.JSONObject; import org.acegisecurity.Authentication; import org.kohsuke.stapler.StaplerRequest; import hudson.Extension; import hudson.Util; import hudson.model.Hudson; import hudson.model.User; import hudson.model.UserProperty; import hudson.model.UserPropertyDescriptor; import jenkins.model.Jenkins; /** * Descriptor for the {@link UserScoreProperty}. * * @author Erik Ramfelt */ @Extension public class UserScorePropertyDescriptor extends UserPropertyDescriptor { public UserScorePropertyDescriptor() { super (UserScoreProperty.class); } @Override public String getDisplayName() { return Messages.User_Property_Title(); } /** * Method kept for backward compability. * Prior to 1.222 the JSONObject formdata was always null . This method * should be removed in the future . * @param req request coming from config.jelly * @ return a UserScoreProperty object */ private UserScoreProperty newInstanceIfJSONIsNull(StaplerRequest req) throws FormException { String scoreStr = Util.fixEmpty(req.getParameter( "game.score" )); //$NON-NLS-1$ if (scoreStr != null ) { if (getCurrentUserScore() != getRequestScore(scoreStr)) { if (!Hudson.getInstance().getACL().hasPermission(Hudson.ADMINISTER)) { throw new hudson.model.Descriptor.FormException( "Pas de triche !" , "game.score" ); } } return new UserScoreProperty( Double .parseDouble(scoreStr), req.getParameter( "game.participatingInGame" ) != null , null ); //$NON-NLS-1$ } return new UserScoreProperty(); } @Override public UserScoreProperty newInstance(StaplerRequest req, JSONObject formData) throws hudson.model.Descriptor.FormException { if (formData == null ) { return newInstanceIfJSONIsNull(req); } if (formData.has( "score" )) { //$NON-NLS-1$ if (getCurrentUserScore() != getRequestScore(formData.get( "score" ).toString())) { if (!Hudson.getInstance().getACL().hasPermission(Hudson.ADMINISTER)) { throw new hudson.model.Descriptor.FormException( "Pas de triche !" , "score" ); } } return req.bindJSON(UserScoreProperty.class, formData); } return new UserScoreProperty(); } @Override public UserProperty newInstance(User arg0) { return null ; } private double getCurrentUserScore() { UserScoreProperty property = User.current().getProperty(UserScoreProperty.class); return property != null ? property.getScore() : 0.0; } private double getRequestScore( String strNumber) { if (strNumber != null && strNumber.length() > 0) { try { return Double .parseDouble(strNumber); } catch (Exception e) { } } return 0; } } 3. Execute : mvn package 4. Copy ci-game.jar into {JENKINS_HOME} /plugins/ci-game/WEB-INF/lib 5. Restart Jenkins
            Hide
            alex_ouzounis Alex Ouzounis added a comment -

            Nice!

            Can you submit a pull request?

            Alex

            Show
            alex_ouzounis Alex Ouzounis added a comment - Nice! Can you submit a pull request? Alex
            Hide
            laurentf arobase-laurent added a comment -

            You can see my pull request here: https://github.com/jenkinsci/ci-game-plugin/pull/17

            Laurent

            Show
            laurentf arobase-laurent added a comment - You can see my pull request here: https://github.com/jenkinsci/ci-game-plugin/pull/17 Laurent
            Hide
            laurentf arobase-laurent added a comment -
            Show
            laurentf arobase-laurent added a comment - Released in version 1.23 : https://github.com/jenkinsci/ci-game-plugin/commit/8fe601e6d515a66a8b9794b23fb1dfd55de788c8 Issue should be closed.

              People

              • Assignee:
                redsolo redsolo
                Reporter:
                pathsny pathsny
              • Votes:
                14 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated: