Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25691

Redeploy link is displayed to Anonymous users with read only permissions for a job

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • maven-plugin
    • Jenkins: 1.590
      Java: 1.7.0_67

      Hello,

      We have a job with project-based security enabled. The job has to be visible to anonymous users and they should only have read-only permissions. After applying the "Read" permission for the job I tried checking out it out as an anonymous user. The job is displayed to the user, but I found out he can redeploy artifacts by clicking on the last successful/failed build number. This functionality is not desired and probably a bug.

      Regards,
      Steve

        1. Configure Global Security ACL.png
          Configure Global Security ACL.png
          54 kB
        2. job acl.png
          job acl.png
          37 kB
        3. screenshot.png
          screenshot.png
          35 kB

          [JENKINS-25691] Redeploy link is displayed to Anonymous users with read only permissions for a job

          Jesse Glick added a comment -

          MavenAbstractArtifactRecord is in a plugin.

          Jesse Glick added a comment - MavenAbstractArtifactRecord is in a plugin.

          Jesse Glick added a comment -

          Just looked at the code and confirmed that it is checking build permission on the job as expected. So maybe your ACL is simply misconfigured.

          Jesse Glick added a comment - Just looked at the code and confirmed that it is checking build permission on the job as expected. So maybe your ACL is simply misconfigured.

          Steve Todorov added a comment - - edited

          It might be a misconfiguration, but I can't seem to figure out what's the problem. I've attached the current global security configuration and the job's configuration as well. If I don't set "Overall - Read" permission to the Anonymous user in the Global Security, anonymous users can't see the job even if I set "Job - Read" permission in the project-based security.

          Steve Todorov added a comment - - edited It might be a misconfiguration, but I can't seem to figure out what's the problem. I've attached the current global security configuration and the job's configuration as well. If I don't set "Overall - Read" permission to the Anonymous user in the Global Security, anonymous users can't see the job even if I set "Job - Read" permission in the project-based security.

          Daniel Beck added a comment -

          Is the job in a folder (Cloudbees Folder plugin) and the permission inherited from that?

          Daniel Beck added a comment - Is the job in a folder (Cloudbees Folder plugin) and the permission inherited from that?

          Steve Todorov added a comment - - edited

          @Daniel no, the job is only in a view. We don't use the Cloudbees Folder plugin at all.

          Steve Todorov added a comment - - edited @Daniel no, the job is only in a view. We don't use the Cloudbees Folder plugin at all.

          Daniel Beck added a comment -

          This is only a cosmetic issue, as clicking the link will require users to authenticate (if anonymous) or tell them they're not allowed (otherwise).

          Pull request with fix: https://github.com/jenkinsci/maven-plugin/pull/33

          Daniel Beck added a comment - This is only a cosmetic issue, as clicking the link will require users to authenticate (if anonymous) or tell them they're not allowed (otherwise). Pull request with fix: https://github.com/jenkinsci/maven-plugin/pull/33

          Steve Todorov added a comment -

          You're right, I double tested it and when the user clicks the link it forces him to login. I probably was logged in last time when it deployed the artifacts. Thanks for checking and solving this issue!

          Steve Todorov added a comment - You're right, I double tested it and when the user clicks the link it forces him to login. I probably was logged in last time when it deployed the artifacts. Thanks for checking and solving this issue!

          Jesse Glick added a comment -

          I guess the JIRA link daemon is down again.

          Jesse Glick added a comment - I guess the JIRA link daemon is down again.

          SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/hudson/model/TaskAction.java
          http://jenkins-ci.org/commit/jenkins/08542cad7524ba4838922622889700e4dd7c2ce1
          Log:
          Javadoc notes warning that the action should be hidden if impermissible.
          JENKINS-25691 Might have prevented the need for: https://github.com/jenkinsci/maven-plugin/pull/33

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/model/TaskAction.java http://jenkins-ci.org/commit/jenkins/08542cad7524ba4838922622889700e4dd7c2ce1 Log: Javadoc notes warning that the action should be hidden if impermissible. JENKINS-25691 Might have prevented the need for: https://github.com/jenkinsci/maven-plugin/pull/33

            danielbeck Daniel Beck
            tftd Steve Todorov
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: