-
Bug
-
Resolution: Fixed
-
Minor
-
Windows7 using the integrated webserver using ActiveDirectory authentication and matrix based security.
I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone.
Could be reproduced:
- log on as this user
- main page shows up, but no link to change the description)
- click on "my views"
- this will open the URL https://SERVERNAME/me/my-views
- which is redirected to https://SERVERNAME/me/my-views/view/Alle/
- On this page the global server description is writeable
This could also be tested by directly opening the URL:
https://SERVERNAME/me/my-views/editDescription
[JENKINS-18633] /me/my-views/editDescription may be used by any user to set global description
Description |
Original:
I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone. Could be reproduced: - log on as this user * main page shows up, but no link to change the description) - click on "my views" * this will open the URL https://SERVERNAME/me/my-views which is redirected to https://SERVERNAME/me/my-views/view/Alle/ * On this page the global server description is writeable This could also be tested by directly opening the URL: https://SERVERNAME/me/my-views/editDescription |
New:
I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone. Could be reproduced: * log on as this user ** main page shows up, but no link to change the description) * click on "my views" ** this will open the URL https://SERVERNAME/me/my-views ** which is redirected to https://SERVERNAME/me/my-views/view/Alle/ ** On this page the global server description is writeable This could also be tested by directly opening the URL: https://SERVERNAME/me/my-views/editDescription |
Assignee | New: Raphael CHAUMIER [ raphc ] |
URL | New: https://github.com/jenkinsci/jenkins/pull/906 | |
Labels | New: security |
Assignee | Original: Raphael CHAUMIER [ raphc ] |
URL | Original: https://github.com/jenkinsci/jenkins/pull/906 | |
Labels | Original: security | New: lts-candidate security |
Summary | Original: User with the right "READ" is able to change main server description | New: /me/my-views/editDescription may be used by any user to set global description |
Assignee | New: Jesse Glick [ jglick ] |
edit: fixed markup