Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-1207

Reading the node list requires Admin privileges

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • _unsorted
    • None
    • Platform: All, OS: All

      Hudson 1.173

      With Anonymous given read-only privileges, it seems that reading the node list (ie
      http://.../hudson/computer/) requires special privileges. Is that intended?

      Navigate to
      http://hudson.zones.apache.org/hudson/computer/(master)/

      Click on "Back to List" or "Nodes" link in top left.

      Attempts to load URL:
      http://hudson.zones.apache.org/hudson/computer/
      but fails with

      HTTP Status 403 -
      type Status report
      message
      description Access to the specified resource () has been forbidden.
      Apache Tomcat/5.5.25

          [JENKINS-1207] Reading the node list requires Admin privileges

          I guess we should consider just hiding some columns that may be considered
          sensitive (like clock and disk space)? Or do you think it's safe to expose them all?

          Feedback appreciated.

          Kohsuke Kawaguchi added a comment - I guess we should consider just hiding some columns that may be considered sensitive (like clock and disk space)? Or do you think it's safe to expose them all? Feedback appreciated.

          nidaley added a comment -

          Hmm, good point Kohsuke. Yes, hiding the sensitive info would be much more user friendly. I think just
          disk space should be hidden.

          nidaley added a comment - Hmm, good point Kohsuke. Yes, hiding the sensitive info would be much more user friendly. I think just disk space should be hidden.

          Alan Harder added a comment -

          Working on this one. Hiding disk-space and swap-space columns from non-admins.
          The "refresh" button and action already have an admin check.

          Alan Harder added a comment - Working on this one. Hiding disk-space and swap-space columns from non-admins. The "refresh" button and action already have an admin check.

          Alan Harder added a comment -

          setting to started.

          Alan Harder added a comment - setting to started.

          Code changed in hudson
          User: : mindless
          Path:
          trunk/hudson/main/core/src/main/java/hudson/node_monitors/DiskSpaceMonitor.java
          trunk/hudson/main/core/src/main/java/hudson/node_monitors/SwapSpaceMonitor.java
          trunk/hudson/main/core/src/main/resources/hudson/model/ComputerSet/index.jelly
          http://fisheye4.cenqua.com/changelog/hudson/?cs=14043
          Log:
          [FIXED JENKINS-1207] Don't require admin permission to view computer/ (node list) page.
          Instead just hide disk-space and swap-space columns from the table.
          Admin check was already there for "refresh" button at bottom of page.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : mindless Path: trunk/hudson/main/core/src/main/java/hudson/node_monitors/DiskSpaceMonitor.java trunk/hudson/main/core/src/main/java/hudson/node_monitors/SwapSpaceMonitor.java trunk/hudson/main/core/src/main/resources/hudson/model/ComputerSet/index.jelly http://fisheye4.cenqua.com/changelog/hudson/?cs=14043 Log: [FIXED JENKINS-1207] Don't require admin permission to view computer/ (node list) page. Instead just hide disk-space and swap-space columns from the table. Admin check was already there for "refresh" button at bottom of page.

            mindless Alan Harder
            nidaley nidaley
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: