When Role-based Authorization Strategy is applied to Jobs, users others than admin can see their jobs but can't see any Nested-Views (or sub-Nested-views) other than the default one. Only admin user can see all nested views.
- duplicates
-
JENKINS-13429 Nested views not showing up with just read perms for View
-
- Closed
-
[JENKINS-14546] Regular users (others than admin) can't see any nested-views (other than the default one) with role-based authorization strategy activated
Anthony HERBÉ
created issue -
Anthony HERBÉ
made changes -
| Link |
New:
This issue duplicates |
Anthony HERBÉ
added a comment - I think upgrade Jenkins to version 1.467 or greater, will resolve this problem (like it will be mentionned into JENKINS-13429, can you confirm this ?
Anthony HERBÉ
added a comment - I think upgrade Jenkins to version 1.467 or greater, will resolve this problem (like it will be mentionned into JENKINS-13429 , can you confirm this ? I have the same problen on my own Jenkins server (Jenkins v1.480, nested View Plugin v1.9).
I'm admin and I see all nested views. But my regular users can't see it.
Problem still remains with Jenkins-1.483, Nested View Plugin 1.8, and 1.9, role-strategy 1.1.2.
Without View.READ permissions, nested views are not shown as tabs, but can be accessed if the URL's guessed correctly.
Martin Kutter
added a comment - - edited Problem still remains with Jenkins-1.483, Nested View Plugin 1.8, and 1.9, role-strategy 1.1.2.
Without View.READ permissions, nested views are not shown as tabs, but can be accessed if the URL's guessed correctly. I think this is due to how Jenkins handles read permissions in Views.
In hudson.security.AuthorizationStrategy#getACL, there's the following code:
if (!hasPermission && permission == View.READ) {
return base.hasPermission(a,View.CONFIGURE) || !item.getItems().isEmpty();
}
The problem here is that for a nested view containing views (and no Jobs), item.getItems().isEmpty() is always true (getItems() only returns TopLevelElements - which [nested] views are not).
One way to fix this could be to introduce a isEmpty() method in hudson.model.Views - which would return this.getItems.isEmpty(). Subclasses like NestedView from the Nested Views Plugin could override this method, and return true if any of the contained views is not empty.
Martin Kutter
added a comment - - edited I think this is due to how Jenkins handles read permissions in Views.
In hudson.security.AuthorizationStrategy#getACL, there's the following code:
if (!hasPermission && permission == View.READ) {
return base.hasPermission(a,View.CONFIGURE) || !item.getItems().isEmpty();
}
The problem here is that for a nested view containing views (and no Jobs), item.getItems().isEmpty() is always true ( getItems() only returns TopLevelElements - which [nested] views are not).
One way to fix this could be to introduce a isEmpty() method in hudson.model.Views - which would return this.getItems.isEmpty() . Subclasses like NestedView from the Nested Views Plugin could override this method, and return true if any of the contained views is not empty. We are facing the same problem (Jenkins LTS 1.466.2 & Nested View 1.9) [using Project-based Matrix Authorization Strategy]
Even if View.READ permission is granted, nested views are not visible to regular (non-admin) users;
As a workaround, we have emailed the affected users the URL to the view (eg: http://jenkins_server/view/VIEWNAME)
[Note: This issue was not visible when we were running Jenkins 1.450 / Nested view plugin 1.8]
Audrey Azra
added a comment - - edited We are facing the same problem (Jenkins LTS 1.466.2 & Nested View 1.9) [using Project-based Matrix Authorization Strategy]
Even if View.READ permission is granted, nested views are not visible to regular (non-admin) users;
As a workaround, we have emailed the affected users the URL to the view (eg: http://jenkins_server/view/VIEWNAME )
[Note: This issue was not visible when we were running Jenkins 1.450 / Nested view plugin 1.8] JENKINS-13429 was fixed in 1.467. @martinkutter your comment about getACL is missing the point, which is that you need to grant View.READ for people to see the views. The block you quote is only for backward compatibility with old versions of Jenkins that did not define View.READ at all.
| Resolution | New: Duplicate [ 3 ] | |
| Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
Users have "Read" rights on "View" item but don't have "Configure" rights on "View" item. When "Configure" rights on "View" item is checked, regular users can see any nested-views but this configuration is unsafe.