Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-5534

Access permissions are not taken into account when getting files via jobConfigHistory.

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Right now the plugin allows anonymous users to see configurations. This is true for the overview as well as operations as getConfig and showDiffs. Only users with the permission to change a job configuration should be able to see these.
      See:
      http://wiki.jenkins-ci.org/display/JENKINS/Making+your+plugin+behave+in+secured+Hudson
      for a reference how to avoid this.

        Attachments

          Activity

          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : mfriedenhagen
          Path:
          trunk/hudson/plugins/jobConfigHistory/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryBaseAction.java
          trunk/hudson/plugins/jobConfigHistory/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryProjectAction.java
          http://jenkins-ci.org/commit/27127
          Log:
          JENKINS-5534 Make some operations depending on read permissions.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : mfriedenhagen Path: trunk/hudson/plugins/jobConfigHistory/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryBaseAction.java trunk/hudson/plugins/jobConfigHistory/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryProjectAction.java http://jenkins-ci.org/commit/27127 Log: JENKINS-5534 Make some operations depending on read permissions.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : mfriedenhagen
          Path:
          trunk/hudson/plugins/jobConfigHistory/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryBaseAction.java
          http://jenkins-ci.org/commit/27130
          Log:
          JENKINS-5534 READ permission was to permissive, try CONFIGURE instead.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : mfriedenhagen Path: trunk/hudson/plugins/jobConfigHistory/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryBaseAction.java http://jenkins-ci.org/commit/27130 Log: JENKINS-5534 READ permission was to permissive, try CONFIGURE instead.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : mfriedenhagen
          Path:
          trunk/hudson/plugins/jobConfigHistory/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryBaseAction.java
          trunk/hudson/plugins/jobConfigHistory/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryProjectAction.java
          http://jenkins-ci.org/commit/27155
          Log:
          JENKINS-5534 only return an Icon if the user has CONFIGURE permission, rename checkReadPermission to checkConfigurePermission as this is what it takes to see the history entries.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : mfriedenhagen Path: trunk/hudson/plugins/jobConfigHistory/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryBaseAction.java trunk/hudson/plugins/jobConfigHistory/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryProjectAction.java http://jenkins-ci.org/commit/27155 Log: JENKINS-5534 only return an Icon if the user has CONFIGURE permission, rename checkReadPermission to checkConfigurePermission as this is what it takes to see the history entries.
          Hide
          mfriedenhagen Mirko Friedenhagen added a comment - - edited

          Invocations of hudson.plugins.jobConfigHistory.JobConfigHistoryBaseAction.getFile(), hudson.plugins.jobConfigHistory.JobConfigHistoryProjectAction.getConfigs() and hudson.plugins.jobConfigHistory.JobConfigHistoryProjectAction.getDiffFile() are checked against hudson.security.Permission.CONFIGURE and the badges are only shown in the UI if the user has this permission.

          Show
          mfriedenhagen Mirko Friedenhagen added a comment - - edited Invocations of hudson.plugins.jobConfigHistory.JobConfigHistoryBaseAction.getFile() , hudson.plugins.jobConfigHistory.JobConfigHistoryProjectAction.getConfigs() and hudson.plugins.jobConfigHistory.JobConfigHistoryProjectAction.getDiffFile() are checked against hudson.security.Permission.CONFIGURE and the badges are only shown in the UI if the user has this permission.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : mfriedenhagen
          Path:
          trunk/hudson/plugins/jobConfigHistory/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryBaseAction.java
          trunk/hudson/plugins/jobConfigHistory/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryProjectAction.java
          trunk/hudson/plugins/jobConfigHistory/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryRootAction.java
          trunk/hudson/plugins/jobConfigHistory/src/test/java/hudson/plugins/jobConfigHistory/JobConfigHistoryBaseActionTest.java
          http://jenkins-ci.org/commit/27168
          Log:
          JENKINS-5534 refine permissions for the root and project action by checking Permission.CONFIGURE either for the hudson instance or the project.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : mfriedenhagen Path: trunk/hudson/plugins/jobConfigHistory/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryBaseAction.java trunk/hudson/plugins/jobConfigHistory/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryProjectAction.java trunk/hudson/plugins/jobConfigHistory/src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryRootAction.java trunk/hudson/plugins/jobConfigHistory/src/test/java/hudson/plugins/jobConfigHistory/JobConfigHistoryBaseActionTest.java http://jenkins-ci.org/commit/27168 Log: JENKINS-5534 refine permissions for the root and project action by checking Permission.CONFIGURE either for the hudson instance or the project.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : mfriedenhagen
          Path:
          trunk/hudson/plugins/jobConfigHistory/src/test/java/hudson/plugins/jobConfigHistory/JobConfigHistoryBaseActionTest.java
          http://jenkins-ci.org/commit/27167
          Log:
          Implement testcase for JENKINS-5534, which shows the jobConfigHistory-badge only if security is not enabled.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : mfriedenhagen Path: trunk/hudson/plugins/jobConfigHistory/src/test/java/hudson/plugins/jobConfigHistory/JobConfigHistoryBaseActionTest.java http://jenkins-ci.org/commit/27167 Log: Implement testcase for JENKINS-5534 , which shows the jobConfigHistory-badge only if security is not enabled.
          Hide
          mfriedenhagen Mirko Friedenhagen added a comment -

          Really seems to work.

          Show
          mfriedenhagen Mirko Friedenhagen added a comment - Really seems to work.

            People

            • Assignee:
              mfriedenhagen Mirko Friedenhagen
              Reporter:
              mfriedenhagen Mirko Friedenhagen
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: