[JENKINS-18633] /me/my-views/editDescription may be used by any user to set global description - Jenkins JIRA

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Minor
Resolution: Fixed
Component/s: core
Labels:
Environment:
Windows7 using the integrated webserver using ActiveDirectory authentication and matrix based security.

Similar Issues:

Show

Description

I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone.

Could be reproduced:

log on as this user
- main page shows up, but no link to change the description)
click on "my views"
- this will open the URL https://SERVERNAME/me/my-views
- which is redirected to https://SERVERNAME/me/my-views/view/Alle/
- On this page the global server description is writeable

This could also be tested by directly opening the URL:
https://SERVERNAME/me/my-views/editDescription

Attachments

Activity

Ascending order - Click to sort in descending order

Dominik Schwald created issue - 2013-07-05 11:57

Dominik Schwald made changes - 2013-07-05 12:02

Field	Original Value	New Value
Description	I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone. Could be reproduced: - log on as this user * main page shows up, but no link to change the description) - click on "my views" * this will open the URL https://SERVERNAME/me/my-views which is redirected to https://SERVERNAME/me/my-views/view/Alle/ * On this page the global server description is writeable This could also be tested by directly opening the URL: https://SERVERNAME/me/my-views/editDescription	I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone. Could be reproduced: * log on as this user ** main page shows up, but no link to change the description) * click on "my views" this will open the URL https://SERVERNAME/me/my-views which is redirected to https://SERVERNAME/me/my-views/view/Alle/ ** On this page the global server description is writeable This could also be tested by directly opening the URL: https://SERVERNAME/me/my-views/editDescription

Raphael CHAUMIER made changes - 2013-07-24 11:42

Assignee

Raphael CHAUMIER [ raphc ]

Jesse Glick made changes - 2013-08-12 19:18

URL		https://github.com/jenkinsci/jenkins/pull/906
Labels		security

Raphael CHAUMIER made changes - 2013-10-07 08:45

Assignee

Raphael CHAUMIER [ raphc ]

Jesse Glick made changes - 2013-10-07 13:35

URL	https://github.com/jenkinsci/jenkins/pull/906
Labels	security	lts-candidate security
Summary	User with the right "READ" is able to change main server description	/me/my-views/editDescription may be used by any user to set global description

Jesse Glick made changes - 2013-10-07 22:25

Assignee

Jesse Glick [ jglick ]

Jesse Glick made changes - 2013-10-07 22:25

Status

Open [ 1 ]

In Progress [ 3 ]

Jesse Glick made changes - 2013-10-07 22:26

Labels

lts-candidate security

folders lts-candidate security

SCM/JIRA link daemon made changes - 2013-10-07 23:22

Resolution		Fixed [ 1 ]
Status	In Progress [ 3 ]	Resolved [ 5 ]

Oliver Gondža made changes - 2013-11-02 10:21

Labels

folders lts-candidate security

1.532.1-fixed folders security

R. Tyler Croy made changes - 2016-07-25 23:55

Workflow

JNJira [ 149943 ]

JNJira + In-Review [ 193364 ]

People

Assignee:: Jesse Glick

Reporter:: Dominik Schwald

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2013-07-05 11:57

Updated:: 2013-11-02 10:21

Resolved:: 2013-10-07 23:22