Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-1750

Permisstion settings do not work correctly

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • _unsorted
    • None
    • Platform: All, OS: All

      we have mapped hudson logging to our LDAP. We use matrix [username x permission]
      for setting permissions. However, if we set for some user all permission except
      "administer" of hudson, such a user is unable to save his/her job. Saving of
      job end with Status code 403.

      This code seems to be the cause:

      public synchronized void doConfigSubmit( StaplerRequest req, StaplerResponse rsp
      ) throws IOException, ServletException {
      try {
      checkPermission(ADMINISTER);

        1. my.patch
          0.9 kB

          [JENKINS-1750] Permisstion settings do not work correctly

          musilt2 added a comment -

          The root cause seems to be that redirect does not work properly for users
          lacking Administrator privileges:

          Job:771 (doConfigSubmit)
          rsp.sendRedirect("."); //this redirect does not work when user lacks
          administration privileges

          2008-05-27 15:19:16.717::WARN: /job/dzaet/configSubmit
          java.lang.IllegalStateException: Committed
          at org.mortbay.jetty.Response.resetBuffer(Response.java:995)
          at org.mortbay.jetty.Response.sendRedirect(Response.java:403)
          at
          javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:136)
          at
          org.acegisecurity.context.HttpSessionContextIntegrationFilter$OnRedirectUpdateSessionResponseWrapper.sendRedirect(HttpSessionContextIntegrationFilter.java:525)
          at
          javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:136)
          at hudson.model.Job.doConfigSubmit(Job.java:771)
          at hudson.model.AbstractProject.doConfigSubmit(AbstractProject.java:304)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          ...

          Other 403's are shown in configuration page, because of

          Hudson.java:

          public void doJavaHomeCheck( StaplerRequest req, StaplerResponse rsp )
          throws IOException, ServletException {
          // this can be used to check the existence of a file on the server, so
          needs to be protected
          new FormFieldValidator(req,rsp,true) { //note the true here

          musilt2 added a comment - The root cause seems to be that redirect does not work properly for users lacking Administrator privileges: Job:771 (doConfigSubmit) rsp.sendRedirect("."); //this redirect does not work when user lacks administration privileges 2008-05-27 15:19:16.717::WARN: /job/dzaet/configSubmit java.lang.IllegalStateException: Committed at org.mortbay.jetty.Response.resetBuffer(Response.java:995) at org.mortbay.jetty.Response.sendRedirect(Response.java:403) at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:136) at org.acegisecurity.context.HttpSessionContextIntegrationFilter$OnRedirectUpdateSessionResponseWrapper.sendRedirect(HttpSessionContextIntegrationFilter.java:525) at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:136) at hudson.model.Job.doConfigSubmit(Job.java:771) at hudson.model.AbstractProject.doConfigSubmit(AbstractProject.java:304) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ... Other 403's are shown in configuration page, because of Hudson.java: public void doJavaHomeCheck( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException { // this can be used to check the existence of a file on the server, so needs to be protected new FormFieldValidator(req,rsp,true) { //note the true here

          musilt2 added a comment -

          Created an attachment (id=267)
          msauer's patch

          musilt2 added a comment - Created an attachment (id=267) msauer's patch

          mirilovic added a comment -

          I would say this is a stopper for hudson with matrix defined permissions...

          mirilovic added a comment - I would say this is a stopper for hudson with matrix defined permissions...

          SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/core/src/main/java/hudson/model/Project.java
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=9718
          Log:
          [FIXED JENKINS-1750] The doConfigSubmit method already does the security check, and this is checking the wrong permission, too. In 1.220.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/core/src/main/java/hudson/model/Project.java trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=9718 Log: [FIXED JENKINS-1750] The doConfigSubmit method already does the security check, and this is checking the wrong permission, too. In 1.220.

            Unassigned Unassigned
            musilt2 musilt2
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: