-
New Feature
-
Resolution: Fixed
-
Major
-
CentOS
Jenkins
-
-
2.452
Even when choosing the most restricted user rights (Role Plugin: Global Role only 1 Read), it is possible for every user to view the Jenkins User Id AND the name of the user (see screenshots).
Working with an Active Directory for authentication, this means its possible for everybody to get the user names from AD AND the common names (Security Hole with AD Plugin?).
Goal: create a Permission to allow specific People/Roles to see this User Account info and deny it to all others.
- depends on
-
JENKINS-26469 Split People view from core
-
- Closed
-
- is duplicated by
-
JENKINS-61316 role-strategy-plugin shows all users for all users
-
- Resolved
-
-
JENKINS-26469 Split People view from core
-
- Closed
-
Without permission to view people, other views that can also be used to list people known to Jenkins should be restricted as well, like 'Changes' (remove author information?).
Maybe even information such as the field about who created a slave? Who started a build?
There's little there can be done for change lists sent via email-ext though. Other plugins might also provide ways to circumvent restrictions.