-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Blocker
-
Component/s: config-file-provider-plugin
ServerCredentialMapping.DescriptorImpl.doFillCredentialsIdItems should probably start with
if (context == null || !context.hasPermission(Item.CONFIGURE)) { return new ListBoxModel(); }
lest it expose credentials IDs and descriptions to anonymous users.
This is assuming that context is actually expected to be non-null. Though if so, why is CredentialsHelper.findValidCredentials ignoring it? If there is no item context, check something, such as Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER).