-
Bug
-
Resolution: Fixed
-
Major
-
None
-
Platform: All, OS: All
Guest users (when security is enabled) can trigger a new build by using direct URLs.
Nothing descructive can be done, but anyways,
guest/anonymous users should not be able to do that.
The fix is simple:
Index: src/main/java/hudson/model/Project.java
===================================================================
RCS file: /cvs/hudson/hudson/main/core/src/main/java/hudson/model/Project.java,v
retrieving revision 1.8
diff -u -r1.8 Project.java
— src/main/java/hudson/model/Project.java 20 Nov 2006 14:46:55 -0000 1.8
+++ src/main/java/hudson/model/Project.java 22 Nov 2006 12:10:52 -0000
@@ -493,6 +493,9 @@
- Schedules a new build command.
*/
public void doBuild( StaplerRequest req, StaplerResponse rsp ) throws
IOException, ServletException { + if(!Hudson.adminCheck(req,rsp)) + return; + scheduleBuild(); rsp.forwardToPreviousPage(req); }
Let me know if that's OK and I'll commit.
- depends on
-
JENKINS-178 Needed an easy way to trigger builds remotely from scripts
-
- Closed
-
Thanks. This was done intentionally (although it's a bad thing), so that Hudson
can be triggered from systems outside Hudson.
But you are probably right that it shouldn't be allowed for guests. Those
external triggering systems can still provide username/password information.
The change looks good to me. Please commit it.