Details
-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Minor
-
Resolution: Fixed
-
Component/s: core
-
Labels:
-
Environment:Windows7 using the integrated webserver using ActiveDirectory authentication and matrix based security.
-
Similar Issues:
Description
I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone.
Could be reproduced:
- log on as this user
- main page shows up, but no link to change the description)
- click on "my views"
- this will open the URL https://SERVERNAME/me/my-views
- which is redirected to https://SERVERNAME/me/my-views/view/Alle/
- On this page the global server description is writeable
This could also be tested by directly opening the URL:
https://SERVERNAME/me/my-views/editDescription
Attachments
Activity
Field | Original Value | New Value |
---|---|---|
Description |
I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone. Could be reproduced: - log on as this user * main page shows up, but no link to change the description) - click on "my views" * this will open the URL https://SERVERNAME/me/my-views which is redirected to https://SERVERNAME/me/my-views/view/Alle/ * On this page the global server description is writeable This could also be tested by directly opening the URL: https://SERVERNAME/me/my-views/editDescription |
I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone. Could be reproduced: * log on as this user ** main page shows up, but no link to change the description) * click on "my views" ** this will open the URL https://SERVERNAME/me/my-views ** which is redirected to https://SERVERNAME/me/my-views/view/Alle/ ** On this page the global server description is writeable This could also be tested by directly opening the URL: https://SERVERNAME/me/my-views/editDescription |
Assignee | Raphael CHAUMIER [ raphc ] |
URL | https://github.com/jenkinsci/jenkins/pull/906 | |
Labels | security |
Assignee | Raphael CHAUMIER [ raphc ] |
URL | https://github.com/jenkinsci/jenkins/pull/906 | |
Labels | security | lts-candidate security |
Summary | User with the right "READ" is able to change main server description | /me/my-views/editDescription may be used by any user to set global description |
Assignee | Jesse Glick [ jglick ] |
Status | Open [ 1 ] | In Progress [ 3 ] |
Labels | lts-candidate security | folders lts-candidate security |
Resolution | Fixed [ 1 ] | |
Status | In Progress [ 3 ] | Resolved [ 5 ] |
Labels | folders lts-candidate security | 1.532.1-fixed folders security |
Workflow | JNJira [ 149943 ] | JNJira + In-Review [ 193364 ] |