At the moment, Groovy Postbuild has a checkbox to enable or disable access to build, listener and hudson properties of the BadgeManager.

Preventing access to these objects does not prevent access to Hudson via e.g. hudson.model.Hudson.instance, e.g. in the following Postbuild script:

hudson.model.Hudson.instance.doQuietDown()

So while Postbuild is nice and really useful, there is no way to run it in a secure way at the moment.

—

Please improve the feasibility of using Groovy Postbuild in a security conscious environment. A few suggestions:

1. Copy Groovy Plugin's approach of separating Groovy and System Groovy build steps, making the latter only available for configuration to users with ADMINISTER privileges.

2. Extend the API of BadgeManager. Something like build.keepLog() or build.setDescription(), or accessing a copy of the build variables map, is pretty harmless and can be exposed to any build.

3. Run "unprivileged" postbuild scripts in a separate process, and evaluate the output/return value (passed e.g. as JSON) in the Hudson environment to set badges and perform other actions. Changes will happen only at the end of Postbuild execution, but that'd be a reasonable price to pay.