Status: Closed (View Workflow)
Platform: All, OS: All
Global authorization (set up in in "Configure System") is ignored when a project
has defined its own local authorization matrix. That seems to be wrong behavior,
shouldn't the local authorization extend the global instead of overriding it?
- is blocking
JENKINS-2745 Project-based perms granted to Anonymous not treated like "Everybody", just Anonymous
- is duplicated by
JENKINS-2444 Project security
Code changed in hudson
User: : kohsuke
[FIXED JENKINS-2186] In project-based matrix security, global setting should be inherited to per-job setting.
Comment/question on the implementation in r13654:
The inner class in SidACL.newInheritingACL calls child and
parent.hasPermission(Sid,Permission) directly, so it bypasses
_hasPermission(Authentication,Permission) in those SidImpl classes.
Will it miss checking ANONYMOUS?
Here are the steps to see the ANONYMOUS problem:
1. Global perms:
Anonymous does not have Workspace permission
UserX is either not listed, or does not have Workspace permission
2. ProjectX perms:
Anonymous does have Workspace permission
UserX is listed and does not have Workspace permission
When UserX logs in and visits some project that does not have any
project-specific permission, he can see the workspace (it will use only root
ACL, so anonymous is checked). But when UserX visits ProjectX it does not show
the Workspace. He can logout and see the workspace as anonymous, however (since
anonymous is the actual user, that row IS checked).
Is this a bug? Seems a bit inconsistent to skip the extra ANONYMOUS check in
the projects with project-specific permissions. Then again, if you grant
something to Anonymous in a project, you can just check that same box in every
Marking as PATCH.