• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • None
    • Platform: All, OS: All

      Guest users (when security is enabled) can trigger a new build by using direct URLs.

      Nothing descructive can be done, but anyways,
      guest/anonymous users should not be able to do that.

      The fix is simple:

      Index: src/main/java/hudson/model/Project.java
      ===================================================================
      RCS file: /cvs/hudson/hudson/main/core/src/main/java/hudson/model/Project.java,v
      retrieving revision 1.8
      diff -u -r1.8 Project.java
      — src/main/java/hudson/model/Project.java 20 Nov 2006 14:46:55 -0000 1.8
      +++ src/main/java/hudson/model/Project.java 22 Nov 2006 12:10:52 -0000
      @@ -493,6 +493,9 @@

      • Schedules a new build command.
        */
        public void doBuild( StaplerRequest req, StaplerResponse rsp ) throws
        IOException, ServletException { + if(!Hudson.adminCheck(req,rsp)) + return; + scheduleBuild(); rsp.forwardToPreviousPage(req); }

      Let me know if that's OK and I'll commit.

          [JENKINS-177] Guest users can start builds via direct URLs

          vsizikov created issue -
          Kohsuke Kawaguchi made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          vsizikov made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Progress [ 3 ] New: Resolved [ 5 ]
          Jesse Glick made changes -
          Link New: This issue depends on JENKINS-178 [ JENKINS-178 ]
          Andrew Bayer made changes -
          Status Original: Resolved [ 5 ] New: Closed [ 6 ]
          Jenkins IRC Bot made changes -
          Component/s New: core [ 15593 ]
          Component/s Original: www [ 15484 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 130250 ] New: JNJira + In-Review [ 199644 ]

            Unassigned Unassigned
            vsizikov vsizikov
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: