Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-1750

Permisstion settings do not work correctly

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Component/s: _unsorted
    • Labels:
      None
    • Environment:
      Platform: All, OS: All
    • Similar Issues:

      Description

      we have mapped hudson logging to our LDAP. We use matrix [username x permission]
      for setting permissions. However, if we set for some user all permission except
      "administer" of hudson, such a user is unable to save his/her job. Saving of
      job end with Status code 403.

      This code seems to be the cause:

      public synchronized void doConfigSubmit( StaplerRequest req, StaplerResponse rsp
      ) throws IOException, ServletException {
      try {
      checkPermission(ADMINISTER);

        Attachments

          Activity

          musilt2 musilt2 created issue -
          Hide
          musilt2 musilt2 added a comment -

          The root cause seems to be that redirect does not work properly for users
          lacking Administrator privileges:

          Job:771 (doConfigSubmit)
          rsp.sendRedirect("."); //this redirect does not work when user lacks
          administration privileges

          2008-05-27 15:19:16.717::WARN: /job/dzaet/configSubmit
          java.lang.IllegalStateException: Committed
          at org.mortbay.jetty.Response.resetBuffer(Response.java:995)
          at org.mortbay.jetty.Response.sendRedirect(Response.java:403)
          at
          javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:136)
          at
          org.acegisecurity.context.HttpSessionContextIntegrationFilter$OnRedirectUpdateSessionResponseWrapper.sendRedirect(HttpSessionContextIntegrationFilter.java:525)
          at
          javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:136)
          at hudson.model.Job.doConfigSubmit(Job.java:771)
          at hudson.model.AbstractProject.doConfigSubmit(AbstractProject.java:304)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          ...

          Other 403's are shown in configuration page, because of

          Hudson.java:

          public void doJavaHomeCheck( StaplerRequest req, StaplerResponse rsp )
          throws IOException, ServletException {
          // this can be used to check the existence of a file on the server, so
          needs to be protected
          new FormFieldValidator(req,rsp,true) { //note the true here

          Show
          musilt2 musilt2 added a comment - The root cause seems to be that redirect does not work properly for users lacking Administrator privileges: Job:771 (doConfigSubmit) rsp.sendRedirect("."); //this redirect does not work when user lacks administration privileges 2008-05-27 15:19:16.717::WARN: /job/dzaet/configSubmit java.lang.IllegalStateException: Committed at org.mortbay.jetty.Response.resetBuffer(Response.java:995) at org.mortbay.jetty.Response.sendRedirect(Response.java:403) at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:136) at org.acegisecurity.context.HttpSessionContextIntegrationFilter$OnRedirectUpdateSessionResponseWrapper.sendRedirect(HttpSessionContextIntegrationFilter.java:525) at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:136) at hudson.model.Job.doConfigSubmit(Job.java:771) at hudson.model.AbstractProject.doConfigSubmit(AbstractProject.java:304) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ... Other 403's are shown in configuration page, because of Hudson.java: public void doJavaHomeCheck( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException { // this can be used to check the existence of a file on the server, so needs to be protected new FormFieldValidator(req,rsp,true) { //note the true here
          Hide
          musilt2 musilt2 added a comment -

          Created an attachment (id=267)
          msauer's patch

          Show
          musilt2 musilt2 added a comment - Created an attachment (id=267) msauer's patch
          Hide
          mirilovic mirilovic added a comment -

          I would say this is a stopper for hudson with matrix defined permissions...

          Show
          mirilovic mirilovic added a comment - I would say this is a stopper for hudson with matrix defined permissions...
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/core/src/main/java/hudson/model/Project.java
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=9718
          Log:
          [FIXED JENKINS-1750] The doConfigSubmit method already does the security check, and this is checking the wrong permission, too. In 1.220.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/core/src/main/java/hudson/model/Project.java trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=9718 Log: [FIXED JENKINS-1750] The doConfigSubmit method already does the security check, and this is checking the wrong permission, too. In 1.220.
          scm_issue_link SCM/JIRA link daemon made changes -
          Field Original Value New Value
          Resolution Fixed [ 1 ]
          Status Open [ 1 ] Resolved [ 5 ]
          abayer Andrew Bayer made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 131823 ] JNJira + In-Review [ 200956 ]
          ircbot Jenkins IRC Bot made changes -
          Component/s _unsorted [ 19622 ]
          Component/s security [ 15508 ]

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            musilt2 musilt2
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: