Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-18633

/me/my-views/editDescription may be used by any user to set global description

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • Windows7 using the integrated webserver using ActiveDirectory authentication and matrix based security.

      I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone.

      Could be reproduced:

      This could also be tested by directly opening the URL:
      https://SERVERNAME/me/my-views/editDescription

          [JENKINS-18633] /me/my-views/editDescription may be used by any user to set global description

          Dominik Schwald created issue -
          Dominik Schwald made changes -
          Description Original: I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone.

          Could be reproduced:
          - log on as this user
            * main page shows up, but no link to change the description)
          - click on "my views"
            * this will open the URL https://SERVERNAME/me/my-views
              which is redirected to https://SERVERNAME/me/my-views/view/Alle/
            * On this page the global server description is writeable

          This could also be tested by directly opening the URL:
          https://SERVERNAME/me/my-views/editDescription

          New: I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone.

          Could be reproduced:
          * log on as this user
          ** main page shows up, but no link to change the description)
          * click on "my views"
          ** this will open the URL https://SERVERNAME/me/my-views
          ** which is redirected to https://SERVERNAME/me/my-views/view/Alle/
          ** On this page the global server description is writeable

          This could also be tested by directly opening the URL:
          https://SERVERNAME/me/my-views/editDescription

          Raphael CHAUMIER made changes -
          Assignee New: Raphael CHAUMIER [ raphc ]
          Jesse Glick made changes -
          URL New: https://github.com/jenkinsci/jenkins/pull/906
          Labels New: security
          Raphael CHAUMIER made changes -
          Assignee Original: Raphael CHAUMIER [ raphc ]
          Jesse Glick made changes -
          URL Original: https://github.com/jenkinsci/jenkins/pull/906
          Labels Original: security New: lts-candidate security
          Summary Original: User with the right "READ" is able to change main server description New: /me/my-views/editDescription may be used by any user to set global description
          Jesse Glick made changes -
          Assignee New: Jesse Glick [ jglick ]
          Jesse Glick made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Jesse Glick made changes -
          Labels Original: lts-candidate security New: folders lts-candidate security
          SCM/JIRA link daemon made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Progress [ 3 ] New: Resolved [ 5 ]
          Oliver Gondža made changes -
          Labels Original: folders lts-candidate security New: 1.532.1-fixed folders security

            jglick Jesse Glick
            dominik_ Dominik Schwald
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: