Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-20148

Misleading description of the 'workspace' permission

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None

      The tooltip on the Job/Workspace permission in the authorization configuration matrix after saying what the permission really does suggests that "if you don't want an user to access the source code, you can do so by revoking this permission".

      Unfortunately the workspace is often only one of many ways to access the source code via Jenkins, which makes the suggestion rather misleading. Eg. for maven projects the archived source artifacts or the source xref report in the archived maven-generated site, both of which are accessible without the 'workspace' permission, give access to the sources.

          [JENKINS-20148] Misleading description of the 'workspace' permission

          mdp created issue -

          Jesse Glick added a comment -

          Permissions are defined in core, not the security realm.

          I would think it would be obvious that what is meant is that this permission can control access to sources from Jenkins, but clearer wording would not hurt; feel free to file a pull request for it.

          Jesse Glick added a comment - Permissions are defined in core, not the security realm. I would think it would be obvious that what is meant is that this permission can control access to sources from Jenkins , but clearer wording would not hurt; feel free to file a pull request for it.
          Jesse Glick made changes -
          Component/s New: core [ 15593 ]
          Component/s Original: matrix-auth [ 18131 ]

          mdp added a comment -

          Well, yes and no.
          http://myjenkins.example.com/job/myjob/site/xref/index.html and http://myjenkins.example.com/job/myjob/com.example.group$module/lastSuccessfulBuild/artifact/com.example.group/module/1.0.0-SNAPSHOT/module-1.0.0-SNAPSHOT-sources.jar can, I think, be considered "accessing sources from Jenkins", if only because these URLs start with http://myjenkins.example.com/job/myjob/

          Still, the workspace is the workspace, so probably accessing these other source locations should just require its own permissions (different from Job/Read, I mean).

          Anyway, I will try to come up with a better wording for the tooltip on this one.

          mdp added a comment - Well, yes and no. http://myjenkins.example.com/job/myjob/site/xref/index.html and http://myjenkins.example.com/job/myjob/com.example.group$module/lastSuccessfulBuild/artifact/com.example.group/module/1.0.0-SNAPSHOT/module-1.0.0-SNAPSHOT-sources.jar can, I think, be considered "accessing sources from Jenkins" , if only because these URLs start with http://myjenkins.example.com/job/myjob/ Still, the workspace is the workspace, so probably accessing these other source locations should just require its own permissions (different from Job/Read, I mean). Anyway, I will try to come up with a better wording for the tooltip on this one.

          Daniel Beck added a comment -
          • Users could access workspace contents when it's archived as artifacts
          • Users could access workspace contents by logging into the slave where the workspace resides
          • Crazy plugins can poke additional holes

          It seems to be pretty impossible to write a useful description that mentions all of this and keeps it short enough. I therefore suggest additional details be added in external documentation (e.g. here) and this issue closed.

          Daniel Beck added a comment - Users could access workspace contents when it's archived as artifacts Users could access workspace contents by logging into the slave where the workspace resides Crazy plugins can poke additional holes It seems to be pretty impossible to write a useful description that mentions all of this and keeps it short enough. I therefore suggest additional details be added in external documentation ( e.g. here ) and this issue closed.

          R. Tyler Croy added a comment -

          Don't mind me, I'm just here feeding the chickens

          R. Tyler Croy added a comment - Don't mind me, I'm just here feeding the chickens
          Daniel Beck made changes -
          Assignee Original: Jesse Glick [ jglick ] New: Daniel Beck [ danielbeck ]

          Daniel Beck added a comment -

          Suggestion:

          This permission grants the ability to retrieve the contents of a workspace Jenkins checked out for performing builds. If you don\u2019t want a user to access the checked out source code or build results through the workspace browser, you can revoke this permission.

          Previous:

          This permission grants the ability to retrieve the contents of a workspace Jenkins checked out for performing builds. If you don\u2019t want an user to access the source code, you can do so by revoking this permission.

          Daniel Beck added a comment - Suggestion: This permission grants the ability to retrieve the contents of a workspace Jenkins checked out for performing builds. If you don\u2019t want a user to access the checked out source code or build results through the workspace browser, you can revoke this permission. Previous: This permission grants the ability to retrieve the contents of a workspace Jenkins checked out for performing builds. If you don\u2019t want an user to access the source code, you can do so by revoking this permission.

          Jesse Glick added a comment -

          Sounds good to me.

          Jesse Glick added a comment - Sounds good to me.
          Daniel Beck made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]

            danielbeck Daniel Beck
            mdp mdp
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: