Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-20148

Misleading description of the 'workspace' permission

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None

      The tooltip on the Job/Workspace permission in the authorization configuration matrix after saying what the permission really does suggests that "if you don't want an user to access the source code, you can do so by revoking this permission".

      Unfortunately the workspace is often only one of many ways to access the source code via Jenkins, which makes the suggestion rather misleading. Eg. for maven projects the archived source artifacts or the source xref report in the archived maven-generated site, both of which are accessible without the 'workspace' permission, give access to the sources.

          [JENKINS-20148] Misleading description of the 'workspace' permission

          R. Tyler Croy added a comment -

          Don't mind me, I'm just here feeding the chickens

          R. Tyler Croy added a comment - Don't mind me, I'm just here feeding the chickens

          Daniel Beck added a comment -

          Suggestion:

          This permission grants the ability to retrieve the contents of a workspace Jenkins checked out for performing builds. If you don\u2019t want a user to access the checked out source code or build results through the workspace browser, you can revoke this permission.

          Previous:

          This permission grants the ability to retrieve the contents of a workspace Jenkins checked out for performing builds. If you don\u2019t want an user to access the source code, you can do so by revoking this permission.

          Daniel Beck added a comment - Suggestion: This permission grants the ability to retrieve the contents of a workspace Jenkins checked out for performing builds. If you don\u2019t want a user to access the checked out source code or build results through the workspace browser, you can revoke this permission. Previous: This permission grants the ability to retrieve the contents of a workspace Jenkins checked out for performing builds. If you don\u2019t want an user to access the source code, you can do so by revoking this permission.

          Jesse Glick added a comment -

          Sounds good to me.

          Jesse Glick added a comment - Sounds good to me.

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/resources/hudson/model/Messages.properties
          http://jenkins-ci.org/commit/jenkins/801f37d5a11554fb97bf9c8edbd9f3e5bd21a47f
          Log:
          [FIXED JENKINS-20148] Rephrase Workspace permission description

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/hudson/model/Messages.properties http://jenkins-ci.org/commit/jenkins/801f37d5a11554fb97bf9c8edbd9f3e5bd21a47f Log: [FIXED JENKINS-20148] Rephrase Workspace permission description

          Code changed in jenkins
          User: Jesse Glick
          Path:
          changelog.html
          core/src/main/resources/hudson/model/Messages.properties
          http://jenkins-ci.org/commit/jenkins/dd1b65dc9b28135598c0b2aa42538a7a6cd94ed5
          Log:
          JENKINS-20148 Merged #1494.

          Compare: https://github.com/jenkinsci/jenkins/compare/d5d6ca21ec0d...dd1b65dc9b28

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/resources/hudson/model/Messages.properties http://jenkins-ci.org/commit/jenkins/dd1b65dc9b28135598c0b2aa42538a7a6cd94ed5 Log: JENKINS-20148 Merged #1494. Compare: https://github.com/jenkinsci/jenkins/compare/d5d6ca21ec0d...dd1b65dc9b28

          dogfood added a comment -

          Integrated in jenkins_main_trunk #3885
          [FIXED JENKINS-20148] Rephrase Workspace permission description (Revision 801f37d5a11554fb97bf9c8edbd9f3e5bd21a47f)

          Result = SUCCESS
          daniel-beck : 801f37d5a11554fb97bf9c8edbd9f3e5bd21a47f
          Files :

          • core/src/main/resources/hudson/model/Messages.properties

          dogfood added a comment - Integrated in jenkins_main_trunk #3885 [FIXED JENKINS-20148] Rephrase Workspace permission description (Revision 801f37d5a11554fb97bf9c8edbd9f3e5bd21a47f) Result = SUCCESS daniel-beck : 801f37d5a11554fb97bf9c8edbd9f3e5bd21a47f Files : core/src/main/resources/hudson/model/Messages.properties

          Ulli Hafner added a comment - - edited

          Does this mean, that plugins should show the contents of workspace files, even if someone has not the permission WORKSPACE (relates to JENKINS-2773)?

          Ulli Hafner added a comment - - edited Does this mean, that plugins should show the contents of workspace files, even if someone has not the permission WORKSPACE (relates to JENKINS-2773 )?

          Daniel Beck added a comment -

          drulli Plugin functionality not directly equivalent to Workspace permission (e.g. a workspace browser in in Blue Ocean) can probably be considered independent, and may have its own controls.

          Daniel Beck added a comment - drulli Plugin functionality not directly equivalent to Workspace permission (e.g. a workspace browser in in Blue Ocean) can probably be considered independent, and may have its own controls.

          Ulli Hafner added a comment -

          But shouldn't this be something that Jenkins defines? Is it allowed to view the source code of a workspace file without special permissions? This is something one should define per Jenkins instance and not per plugin.

          Currently my plugins do not show the contents of workspace files (if the WORKSPACE permission is not set), however several other similar plugins do not have this restriction. So what is the suggested behaviour?

          Ulli Hafner added a comment - But shouldn't this be something that Jenkins defines? Is it allowed to view the source code of a workspace file without special permissions? This is something one should define per Jenkins instance and not per plugin. Currently my plugins do not show the contents of workspace files (if the WORKSPACE permission is not set), however several other similar plugins do not have this restriction. So what is the suggested behaviour?

          Daniel Beck added a comment -

          drulli Not well defined AFAIUI. Notably, plugin functionality is typically optional and needs to be set up in a job first (with someone making the decision to make data from the job available to others), while workspace access would always be available regardless of job configuration. So I don't see this as critical.

          Piggybacking on existing permissions, granting access to everyone with Job/Read, or introducing a new permission are all possible approaches.

          This should be continued in a dev list discussion, I think.

          Daniel Beck added a comment - drulli Not well defined AFAIUI. Notably, plugin functionality is typically optional and needs to be set up in a job first (with someone making the decision to make data from the job available to others), while workspace access would always be available regardless of job configuration. So I don't see this as critical. Piggybacking on existing permissions, granting access to everyone with Job/Read, or introducing a new permission are all possible approaches. This should be continued in a dev list discussion, I think.

            danielbeck Daniel Beck
            mdp mdp
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: