Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24902

Jenkins's security is not applied for IM user

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • instant-messaging-plugin
    • None
    • Jenkins 1.581
      instant-messaging plugin 1.30

      In Global authorization matrix (https://ci.gfi.fr/jenkins/configureSecurity/), the "Authorization" option is "Project-based Matrix Authorization Strategy" :
      "jenkins-im" user has all authorizations, and is the one I've mapped to "Jenkins Username" parameter of "instant-messaging plugin"

      I have a user will no right at all in Jenkins but allowed to connect to the conference used by "jenkins-im".

      This user can send any bot commands and this is really weird. The same is true for a registered jenkins user having only read/view rights. If he can only see builds using the Web/REST/CLI interfaces, this plugin acts like a "sudo".

      "Jenkins Username" parameter of "instant-messaging plugin" should be removed or merged with the rights of connected IM user. The Jenkins user corresponding to the author of the bot command must be used.

          [JENKINS-24902] Jenkins's security is not applied for IM user

            kutzi kutzi
            fabdouglas Fabrice Daugan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: