Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-1345

Inconsistencies in matrix security / authorization

    • Icon: Patch Patch
    • Resolution: Fixed
    • Icon: Critical Critical
    • _unsorted
    • None
    • Platform: All, OS: All

      I use LDAP authentication and matrix authorization. I have a user with every
      permission granted EXCEPT "admin". I see the following problems:

      1) Browsing to a job does show the "Configure" link in the sidebar, but clicking
      it results in a white "Forbidden" page.
      2) Able to start a build by clicking "Build Now" but when it starts there is no
      red "X" button to cancel the build.
      3) No "Add description" or "Edit description" links on job or build pages.

          [JENKINS-1345] Inconsistencies in matrix security / authorization

          Alan Harder added a comment -

          Just curious if this has been tested/reproduced. We use Hudson in a managed
          environment with many projects, and the admins don't want to give admin
          permission to everyone. This bug prevents them from granted access to configure
          jobs. Thanks!

          Alan Harder added a comment - Just curious if this has been tested/reproduced. We use Hudson in a managed environment with many projects, and the admins don't want to give admin permission to everyone. This bug prevents them from granted access to configure jobs. Thanks!

          Alan Harder added a comment -

          Doesn't anyone use matrix security? Please vote for this issue! Hope this can
          be looked at soon.. thanks, and thanks for Hudson!

          Alan Harder added a comment - Doesn't anyone use matrix security? Please vote for this issue! Hope this can be looked at soon.. thanks, and thanks for Hudson!

          Alan Harder added a comment -

          I need to retest item 1 (configure) and see if that is working now.. here are
          some diffs for the other two items:

          Index: main/core/src/main/resources/hudson/model/AbstractBuild/index.jelly
          ===================================================================
          — main/core/src/main/resources/hudson/model/AbstractBuild/index.jelly
          (revision 9704)
          +++ main/core/src/main/resources/hudson/model/AbstractBuild/index.jelly (working
          copy)
          @@ -22,7 +22,7 @@
          </t:buildCaption>

          <div>

          • <t:editableDescription permission="${app.ADMINISTER}" />
            + <t:editableDescription permission="${it.project.CONFIGURE}" />
            </div>

          <table style="margin-top: 1em; margin-left:1em;">
          Index: main/core/src/main/resources/hudson/model/Job/index.jelly
          ===================================================================
          — main/core/src/main/resources/hudson/model/Job/index.jelly (revision 9704)
          +++ main/core/src/main/resources/hudson/model/Job/index.jelly (working copy)
          @@ -3,7 +3,7 @@
          <st:include page="sidepanel.jelly" />
          <l:main-panel>
          <h1>${it.pronoun} ${it.displayName}</h1>

          • <t:editableDescription permission="${app.ADMINISTER}"/>
            + <t:editableDescription permission="${it.CONFIGURE}"/>

          <j:if test="${it.disabled}">
          <div class="warning">
          Index: main/core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly
          ===================================================================
          — main/core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly
          (revision 9704)
          +++ main/core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly
          (working copy)
          @@ -28,9 +28,9 @@
          <tr><td>
          <t:buildProgressBar build="${build}"/>
          </td><td style="padding:0">

          • <l:isAdmin>
            + <j:if test="${it.hasAbortPermission()}">
            <a href="${link}stop"><img src="${imagesURL}/16x16/stop.gif"
            alt="[cancel]"/></a>
          • </l:isAdmin>
            + </j:if>
            </td></tr>
            </table>
            </td></tr>

          The first two diffs seem to work.. the last one does NOT work, but shows the
          right place to make a change. I wasn't sure of the right ${something} reference
          for the object that can do hasAbortPermission().

          Alan Harder added a comment - I need to retest item 1 (configure) and see if that is working now.. here are some diffs for the other two items: Index: main/core/src/main/resources/hudson/model/AbstractBuild/index.jelly =================================================================== — main/core/src/main/resources/hudson/model/AbstractBuild/index.jelly (revision 9704) +++ main/core/src/main/resources/hudson/model/AbstractBuild/index.jelly (working copy) @@ -22,7 +22,7 @@ </t:buildCaption> <div> <t:editableDescription permission="${app.ADMINISTER}" /> + <t:editableDescription permission="${it.project.CONFIGURE}" /> </div> <table style="margin-top: 1em; margin-left:1em;"> Index: main/core/src/main/resources/hudson/model/Job/index.jelly =================================================================== — main/core/src/main/resources/hudson/model/Job/index.jelly (revision 9704) +++ main/core/src/main/resources/hudson/model/Job/index.jelly (working copy) @@ -3,7 +3,7 @@ <st:include page="sidepanel.jelly" /> <l:main-panel> <h1>${it.pronoun} ${it.displayName}</h1> <t:editableDescription permission="${app.ADMINISTER}"/> + <t:editableDescription permission="${it.CONFIGURE}"/> <j:if test="${it.disabled}"> <div class="warning"> Index: main/core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly =================================================================== — main/core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly (revision 9704) +++ main/core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly (working copy) @@ -28,9 +28,9 @@ <tr><td> <t:buildProgressBar build="${build}"/> </td><td style="padding:0"> <l:isAdmin> + <j:if test="${it.hasAbortPermission()}"> <a href="${link}stop"><img src="${imagesURL}/16x16/stop.gif" alt=" [cancel] "/></a> </l:isAdmin> + </j:if> </td></tr> </table> </td></tr> The first two diffs seem to work.. the last one does NOT work, but shows the right place to make a change. I wasn't sure of the right ${something} reference for the object that can do hasAbortPermission().

          Alan Harder added a comment -

          Ah, I see item 1 has been resolved in issue #1750 (filed so long after my
          report!).. thanks for that one. I hope these other 2 items can be fixed too
          with the help of the patch I posted.

          Alan Harder added a comment - Ah, I see item 1 has been resolved in issue #1750 (filed so long after my report!).. thanks for that one. I hope these other 2 items can be fixed too with the help of the patch I posted.

          Didn't realize that there was a patch for this. Updating the issue accordingly.

          Kohsuke Kawaguchi added a comment - Didn't realize that there was a patch for this. Updating the issue accordingly.

          Alan Harder added a comment -

          Ok, I fixed up the patch so it is functional. See the attached file.

          Retested the original bug description:
          1) Item 1 works now
          2) Still not working
          3) Still not working on project page, but works now on build page

          Attached patch fixed the following:
          a) Job/index.jelly: use it.CONFIGURE permission instead of app.ADMINISTER so
          add/edit description show up on project page (item 3 above).
          b) HistoryWidget/entry.jelly: use it.owner.ABORT permission (if object type is
          project) for permission check, so red X to abort a build shows up in build
          history on project page (item 2 above).
          c) buildCaption.jelly: use it.project.hasAbortPermission() instead of
          parent.hasAbortPermission() (this one isn't working now, even for admins) so red
          X to abort a build shows up on build page and console output page.

          Side note: for some reason in FF3 I see the red X in the console output page,
          but I'm not able to click it (maybe some conflict with "view as text" link right
          below it?).

          Alan Harder added a comment - Ok, I fixed up the patch so it is functional. See the attached file. Retested the original bug description: 1) Item 1 works now 2) Still not working 3) Still not working on project page, but works now on build page Attached patch fixed the following: a) Job/index.jelly: use it.CONFIGURE permission instead of app.ADMINISTER so add/edit description show up on project page (item 3 above). b) HistoryWidget/entry.jelly: use it.owner.ABORT permission (if object type is project) for permission check, so red X to abort a build shows up in build history on project page (item 2 above). c) buildCaption.jelly: use it.project.hasAbortPermission() instead of parent.hasAbortPermission() (this one isn't working now, even for admins) so red X to abort a build shows up on build page and console output page. Side note: for some reason in FF3 I see the red X in the console output page, but I'm not able to click it (maybe some conflict with "view as text" link right below it?).

          Alan Harder added a comment -

          Created an attachment (id=467)
          Fix permission checks for showing some UI elements

          Alan Harder added a comment - Created an attachment (id=467) Fix permission checks for showing some UI elements

          adphillips added a comment -

          I wonder if this issue is related to the Project Matrix authorization weirdness
          issue? : https://hudson.dev.java.net/issues/show_bug.cgi?id=2186

          If so, I mention a solution (pending) in the comments of this issue #2186.

          adphillips added a comment - I wonder if this issue is related to the Project Matrix authorization weirdness issue? : https://hudson.dev.java.net/issues/show_bug.cgi?id=2186 If so, I mention a solution (pending) in the comments of this issue #2186.

          Alan Harder added a comment -

          No, these are actual bugs in how permissions are checked for showing/not-showing
          these UI elements. But, I have noticed the ProjectMatrix issue too.. thanks for
          the pointer. Going to reply to my own -dev email

          Alan Harder added a comment - No, these are actual bugs in how permissions are checked for showing/not-showing these UI elements. But, I have noticed the ProjectMatrix issue too.. thanks for the pointer. Going to reply to my own -dev email

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/core/src/main/resources/hudson/model/Job/index.jelly
          trunk/hudson/main/core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly
          trunk/hudson/main/core/src/main/resources/lib/hudson/buildCaption.jelly
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=13648
          Log:
          [FIXED JENKINS-1345] Inconsistencies in matrix security / authorization. In 1.265.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/core/src/main/resources/hudson/model/Job/index.jelly trunk/hudson/main/core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly trunk/hudson/main/core/src/main/resources/lib/hudson/buildCaption.jelly trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=13648 Log: [FIXED JENKINS-1345] Inconsistencies in matrix security / authorization. In 1.265.

            Unassigned Unassigned
            mindless Alan Harder
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: