Guest users (when security is enabled) can trigger a new build by using direct URLs.
Nothing descructive can be done, but anyways,
guest/anonymous users should not be able to do that.
The fix is simple:
Index: src/main/java/hudson/model/Project.java
===================================================================
RCS file: /cvs/hudson/hudson/main/core/src/main/java/hudson/model/Project.java,v
retrieving revision 1.8
diff -u -r1.8 Project.java
— src/main/java/hudson/model/Project.java 20 Nov 2006 14:46:55 -0000 1.8
+++ src/main/java/hudson/model/Project.java 22 Nov 2006 12:10:52 -0000
@@ -493,6 +493,9 @@
- Schedules a new build command.
*/
public void doBuild( StaplerRequest req, StaplerResponse rsp ) throws
IOException, ServletException
{
+ if(!Hudson.adminCheck(req,rsp))
+ return;
+
scheduleBuild();
rsp.forwardToPreviousPage(req);
}
Let me know if that's OK and I'll commit.