Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43386

Not sending mail to user with permission to view

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: email-ext-plugin
    • Labels:
      None
    • Environment:
      Jenkins LTS 2.46.1, EmailExtPlugin 2.57.1, role based matrix used
    • Similar Issues:

      Description

      After the latest update with the security patch, no mails sended anymore to "requester" of a job.

      The error message in job console looks like this:
      Not sending mail to user user@mail.com with no permission to view currentJob
      When setting the suggested property 

      -Dhudson.tasks.MailSender.SEND_TO_USERS_WITHOUT_READ=true

      it works.

       

      The user has overall read permission (matrix based security setup) and for the conrete job the permission:

      Job: View,Discover,Read,Workspace

      Run: Update

      The user has an account (if I click on the user which started the job .. also belongs to this job (can seen in the user view)) and the mail address is correct.

      What permissions or settings are required to avoid this problem? We do not like to have this system property enabled.

      Thanks for the great plugin and support!

      Regards,

      • Thomas

        Attachments

          Issue Links

            Activity

            Hide
            catonyx Todd B added a comment -

            After many unsuccessful tries to give "unknown" users read access, I found this is the only way which essentially disables the security. In particular, I used the second one below and e-mail notification seem to be back to our normal. Bummer there isn't a better way. Also, it seems I only needed to do this on the master (which after digging, I found that modifying the jenkins.xml was the easiest way).

             

            If the security fix is undesirable in a particular instance, it can be disabled with either or both of the following two system properties:

            • -Dhudson.tasks.MailSender.SEND_TO_UNKNOWN_USERS=true: send mail to build culprits even if they do not seem to be associated with a valid Jenkins login.
            • -Dhudson.tasks.MailSender.SEND_TO_USERS_WITHOUT_READ=true: send mail to build culprits associated with a valid Jenkins login even if they would not otherwise have read access to the job.
            Show
            catonyx Todd B added a comment - After many unsuccessful tries to give "unknown" users read access, I found this is the only way which essentially disables the security. In particular, I used the second one below and e-mail notification seem to be back to our normal. Bummer there isn't a better way. Also, it seems I only needed to do this on the master (which after digging, I found that modifying the jenkins.xml was the easiest way).   If the security fix is undesirable in a particular instance, it can be disabled with either or both of the following two system properties: -Dhudson.tasks.MailSender.SEND_TO_UNKNOWN_USERS=true: send mail to build culprits even if they do not seem to be associated with a valid Jenkins login. -Dhudson.tasks.MailSender.SEND_TO_USERS_WITHOUT_READ=true: send mail to build culprits associated with a valid Jenkins login even if they would not otherwise have read access to the job.
            Hide
            mattdrees Matt Drees added a comment -

            We've run into this too. We're using the " Github Authentication Plugin" and the "GitHub Committer Authorization Strategy". I noticed it appears that email addresses owned by admins (as defined by users listed in the GitHub Authorization Settings->Admin User Names field) are not filtered out. Non-admin jenkins user's email addresses are filtered out with the "Not sending mail to user user@cru.org with no permission to view" message.

             

            So this leads me to hypothesize there's a bug in either the github plugin, or how it is used by other components for authorization decisions.

            Show
            mattdrees Matt Drees added a comment - We've run into this too. We're using the " Github Authentication Plugin" and the "GitHub Committer Authorization Strategy". I noticed it appears that email addresses owned by admins (as defined by users listed in the GitHub Authorization Settings->Admin User Names field) are not filtered out. Non-admin jenkins user's email addresses are filtered out with the "Not sending mail to user user@cru.org with no permission to view" message.   So this leads me to hypothesize there's a bug in either the github plugin, or how it is used by other components for authorization decisions.
            Hide
            sgjenkins Steve Graham added a comment -

            Just updated my Gitlab Oauth settings with a Group name for all users. Works as expected, only authorised users who belong to the group set on Gitlab can log in to Jenkins 

            Unfortunately I also now get the messages 

            Not sending mail to user <username@...> with no permission to view <Jenkins Jobname> 

            If I set Global Security->Gitlab OAuth Settings -> Authenticated Users to allow View Read it works ok.

            if I set the same using the Group Name ist does not work.

            I would rate this as a more serious bug - I will try the workaround mentioned above ( SEND_TO_USERS_WIITHOUT_READ ) - it is a workaround.

            ( I also had to set SEND_TO_UNKNOWN_USERS a long time ago... - also a bug, users are known)

            Jenkins Version 2.176 ( just about to go to 2.177)

            Email Extension plugin  - 2.66

            Gitlab OAuth 1.4

             

            Show
            sgjenkins Steve Graham added a comment - Just updated my Gitlab Oauth settings with a Group name for all users. Works as expected, only authorised users who belong to the group set on Gitlab can log in to Jenkins  Unfortunately I also now get the messages  Not sending mail to user <username@...> with no permission to view <Jenkins Jobname>  If I set Global Security->Gitlab OAuth Settings -> Authenticated Users to allow View Read it works ok. if I set the same using the Group Name ist does not work. I would rate this as a more serious bug - I will try the workaround mentioned above ( SEND_TO_USERS_WIITHOUT_READ ) - it is a workaround. ( I also had to set SEND_TO_UNKNOWN_USERS a long time ago... - also a bug, users are known) Jenkins Version 2.176 ( just about to go to 2.177) Email Extension plugin  - 2.66 Gitlab OAuth 1.4  
            Hide
            dadamssg David Adams added a comment -

            Experiencing similar issues as Steve Graham. Using github oauth client for a github organization and can't get email to send. I've tried checking "Allow sending to unregistered users" with no change. I still get: 

            "Not sending mail to user myemail@gmail.com with no permission to view My Project » my-branch#40An attempt to send an e-mail to empty list of recipients, ignored."

            Show
            dadamssg David Adams added a comment - Experiencing similar issues as Steve Graham . Using github oauth client for a github organization and can't get email to send. I've tried checking "Allow sending to unregistered users" with no change. I still get:  "Not sending mail to user myemail@gmail.com with no permission to view My Project » my-branch#40An attempt to send an e-mail to empty list of recipients, ignored."
            Hide
            luckyhorang Hokwang Lee added a comment -

            suffering this problem, one more here.

            Show
            luckyhorang Hokwang Lee added a comment - suffering this problem, one more here.

              People

              • Assignee:
                slide_o_mix Alex Earl
                Reporter:
                waffel Thomas Wabner
              • Votes:
                14 Vote for this issue
                Watchers:
                24 Start watching this issue

                Dates

                • Created:
                  Updated: