-
Bug
-
Resolution: Not A Defect
-
Minor
-
None
according to javadoc, hudson.security.Permission#enabled "allows us to dynamically enable or disable the visibility of permissions, so administrators can control the complexity of their permission matrix".
But setting Jenkins.ADMINISTER.enabled=false has no impact, I still can access all administrative actions. Sounds to me the ACL permission check has to first ensure requested permission is enabled, before it compare with users' granted authorities.