Details
-
Bug
-
Status: Resolved (View Workflow)
-
Minor
-
Resolution: Fixed
-
Windows7 using the integrated webserver using ActiveDirectory authentication and matrix based security.
Description
I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone.
Could be reproduced:
- log on as this user
- main page shows up, but no link to change the description)
- click on "my views"
- this will open the URL https://SERVERNAME/me/my-views
- which is redirected to https://SERVERNAME/me/my-views/view/Alle/
- On this page the global server description is writeable
This could also be tested by directly opening the URL:
https://SERVERNAME/me/my-views/editDescription
Attachments
Activity
Integrated in 
jenkins_main_trunk #2930
[FIXED JENKINS-18633] Simplified distinction between Jenkins.description and View.description. (Revision 04c8a1efc0f6324868638be9a4cfdb085e17744f)
Result = SUCCESS
Jesse Glick : 04c8a1efc0f6324868638be9a4cfdb085e17744f
Files :
- core/src/main/java/hudson/model/AllView.java
- changelog.html
- core/src/main/resources/hudson/model/View/index.jelly
- core/src/main/resources/hudson/model/AbstractModelObject/descriptionForm.jelly
Code changed in jenkins
User: Jesse Glick
Path:
changelog.html
core/src/main/java/hudson/model/AllView.java
core/src/main/resources/hudson/model/AbstractModelObject/descriptionForm.jelly
core/src/main/resources/hudson/model/View/index.jelly
http://jenkins-ci.org/commit/jenkins/04c8a1efc0f6324868638be9a4cfdb085e17744f
Log:
[FIXED JENKINS-18633] Simplified distinction between Jenkins.description and View.description.
Both are shown if defined. The edit description link only applies to View.description.
Properly handle a ViewGroup other than Jenkins itself, such as a folder.
There is a well-meaning but problematic attempt to make the Jenkins root delegate its description to its primary view, and an inappropriate assumption in AllView of what it is being used for. I am working on simplifying things so that each view has its own description, which the edit link will edit, and independently of that Jenkins has a description (“system message”) which will be shown above any view description. Also working on changes to make all this friendlier to folders.
Reproducible in 1.509.3 using Mock Security Realm and global matrix authorization. Create a user with Overall/Read and Job/Read, log in, and My Views » Edit Description can be used to set global description.
Attempted fix in https://github.com/jenkinsci/jenkins/pull/906 was closed; need a different fix.
By the way, in the future please file security-related issues in https://issues.jenkins-ci.org/browse/SECURITY.
Dominik Schwald
added a comment - edit: fixed markup 
Code changed in jenkins
User: Jesse Glick
Path:
core/src/main/java/hudson/model/AllView.java
core/src/main/resources/hudson/model/AbstractModelObject/descriptionForm.jelly
core/src/main/resources/hudson/model/View/index.jelly
http://jenkins-ci.org/commit/jenkins/624395829bfda6a87b3c0210e0a691af90037358
Log:
[FIXED JENKINS-18633] Simplified distinction between Jenkins.description and View.description.
Both are shown if defined. The edit description link only applies to View.description.
Properly handle a ViewGroup other than Jenkins itself, such as a folder.
(cherry picked from commit 04c8a1efc0f6324868638be9a4cfdb085e17744f)
Conflicts:
changelog.html
Compare: https://github.com/jenkinsci/jenkins/compare/65158b098327...624395829bfd