Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56016

Input Submitter parameter ignored

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I use the following snippet in my DSL pipeline

      operators = "ldapUserGroup"
      ChoiceParameterDefinition choice = new ChoiceParameterDefinition('continue', ['YES'] as String[], 'Description')
      returnValue = input message: 'DEPLOY ?', 
                          parameters: [choice], 
                          submitter: operators, 
                          submitterParameter: 'approver'
      

      I am not part of the ldapUserGroup thus I would expect the pipeline not to continue. However the pipeline continues anyway.

      07:39:05 Approved by Surname Lastname
      [Pipeline] }
      

      The same happens if i use a particular userID or list of userIDs rather than an ldapGroup

      operators = "userID0001,userID0002"
      ChoiceParameterDefinition choice = new ChoiceParameterDefinition('continue', ['YES'] as String[], 'Description')
      returnValue = input message: 'DEPLOY ?', 
                          parameters: [choice], 
                          submitter: operators, 
                          submitterParameter: 'approver'
      

        Attachments

          Activity

          Hide
          papanito Adrian Wyssmann added a comment -

          Apparently, me as an administrator can answer the question. Other users, which are not administrator are rejected when answering the question.

          Is this the expected behaviour? If yes, I did not see this in the documentation, thus it would be good to mention this behaviour.

          Show
          papanito Adrian Wyssmann added a comment - Apparently, me as an administrator can answer the question. Other users, which are not administrator are rejected when answering the question. Is this the expected behaviour? If yes, I did not see this in the documentation, thus it would be good to mention this behaviour.
          Hide
          orathore Omit Rathore added a comment - - edited

          This is very dangerous issue , team relying on permissions control with submitter is broken. We had to revert to 2.8 .

           Ideal flow would be only user/team mentioned as submitter should be allowed to proceed.It is classical example of privilege escalation. It is kind of security threat.

          It's fine to have these feature if submitter is not mentioned.

          Show
          orathore Omit Rathore added a comment - - edited This is very dangerous issue , team relying on permissions control with submitter is broken. We had to revert to 2.8 .  Ideal flow would be only user/team mentioned as submitter should be allowed to proceed.It is classical example of privilege escalation. It is kind of security threat. It's fine to have these feature if submitter is not mentioned.

            People

            • Assignee:
              Unassigned
              Reporter:
              papanito Adrian Wyssmann
            • Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: