-
Bug
-
Resolution: Fixed
-
Minor
-
None
The tooltip on the Job/Workspace permission in the authorization configuration matrix after saying what the permission really does suggests that "if you don't want an user to access the source code, you can do so by revoking this permission".
Unfortunately the workspace is often only one of many ways to access the source code via Jenkins, which makes the suggestion rather misleading. Eg. for maven projects the archived source artifacts or the source xref report in the archived maven-generated site, both of which are accessible without the 'workspace' permission, give access to the sources.
- links to
Permissions are defined in core, not the security realm.
I would think it would be obvious that what is meant is that this permission can control access to sources from Jenkins, but clearer wording would not hurt; feel free to file a pull request for it.