Minor Not sure if this is actually a bug or not. AbstractProject.doConfigSubmit modifies the publishersList of an upstream project regardless of your permissions on that project. I would expect that you would need to have CONFIGURE permission on it. Not clear that there is a specific security threat from adding a BuildTrigger to an arbitrary project, but it will at a minimum result in a config.xml change from an unauthorized user, which might raise eyebrows.
BuildTrigger.DescriptorImpl.doCheck also ought to issue an error if you have no CONFIGURE permission. doAutoCompleteUpstreamProjects can probably be left alone - complete everything we can see but show an error if you cannot really touch it.
Also doCheck neglects to check AbstractProject.isConfigurable as doConfigSubmit does.
- is related to
-
JENKINS-13502 Editing any job removes inaccessible downstream jobs from all accessible jobs
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
[JENKINS-14992] Can add "build other projects" trigger to a project we cannot otherwise configure
| Link |
New:
This issue is related to |
| Link |
New:
This issue is related to |
| Resolution | New: Not A Defect [ 7 ] | |
| Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
| Link |
New:
This issue is related to |
| Workflow | Original: JNJira [ 145711 ] | New: JNJira + In-Review [ 191593 ] |
Not a bug as such, but
JENKINS-16956discusses better ideas.