[JENKINS-25691] Redeploy link is displayed to Anonymous users with read only permissions for a job

Type: Bug
Resolution: Fixed
Priority: Minor
Component/s: maven-plugin
Labels:
- permission
Environment:
Jenkins: 1.590
Java: 1.7.0_67

Similar Issues:
Powered by SuggestiMate

Show

Hello,

We have a job with project-based security enabled. The job has to be visible to anonymous users and they should only have read-only permissions. After applying the "Read" permission for the job I tried checking out it out as an anonymous user. The job is displayed to the user, but I found out he can redeploy artifacts by clicking on the last successful/failed build number. This functionality is not desired and probably a bug.

Regards,
Steve

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

Configure Global Security ACL.png
54 kB
2014-11-19 16:21
job acl.png
37 kB
2014-11-19 16:21
screenshot.png
35 kB
2014-11-19 13:38

links to

PR 33

Steve Todorov created issue - 2014-11-19 13:38

Jesse Glick added a comment - 2014-11-19 15:24

MavenAbstractArtifactRecord is in a plugin.

Jesse Glick added a comment - 2014-11-19 15:24 MavenAbstractArtifactRecord is in a plugin.

Jesse Glick made changes - 2014-11-19 15:24

Component/s		New: maven-plugin [ 16033 ]
Component/s	Original: security [ 15508 ]
Component/s	Original: core [ 15593 ]
Component/s	Original: matrix-auth-plugin [ 18131 ]
Assignee	Original: Jesse Glick [ jglick ]
Labels		New: permission

Jesse Glick added a comment - 2014-11-19 15:25

Just looked at the code and confirmed that it is checking build permission on the job as expected. So maybe your ACL is simply misconfigured.

Jesse Glick added a comment - 2014-11-19 15:25 Just looked at the code and confirmed that it is checking build permission on the job as expected. So maybe your ACL is simply misconfigured.

Steve Todorov added a comment - 2014-11-19 16:21 - edited

It might be a misconfiguration, but I can't seem to figure out what's the problem. I've attached the current global security configuration and the job's configuration as well. If I don't set "Overall - Read" permission to the Anonymous user in the Global Security, anonymous users can't see the job even if I set "Job - Read" permission in the project-based security.

Steve Todorov added a comment - 2014-11-19 16:21 - edited It might be a misconfiguration, but I can't seem to figure out what's the problem. I've attached the current global security configuration and the job's configuration as well. If I don't set "Overall - Read" permission to the Anonymous user in the Global Security, anonymous users can't see the job even if I set "Job - Read" permission in the project-based security.

Steve Todorov made changes - 2014-11-19 16:21

Attachment		New: Configure Global Security ACL.png [ 28036 ]
Attachment		New: job acl.png [ 28037 ]

Daniel Beck added a comment - 2014-11-20 00:21

Is the job in a folder (Cloudbees Folder plugin) and the permission inherited from that?

Daniel Beck added a comment - 2014-11-20 00:21 Is the job in a folder (Cloudbees Folder plugin) and the permission inherited from that?

Steve Todorov added a comment - 2014-11-20 18:19 - edited

@Daniel no, the job is only in a view. We don't use the Cloudbees Folder plugin at all.

Steve Todorov added a comment - 2014-11-20 18:19 - edited @Daniel no, the job is only in a view. We don't use the Cloudbees Folder plugin at all.

Daniel Beck made changes - 2014-11-20 18:36

Assignee

New: Daniel Beck [ danielbeck ]

Daniel Beck added a comment - 2014-11-20 19:01

This is only a cosmetic issue, as clicking the link will require users to authenticate (if anonymous) or tell them they're not allowed (otherwise).

Pull request with fix: https://github.com/jenkinsci/maven-plugin/pull/33

Daniel Beck added a comment - 2014-11-20 19:01 This is only a cosmetic issue, as clicking the link will require users to authenticate (if anonymous) or tell them they're not allowed (otherwise). Pull request with fix: https://github.com/jenkinsci/maven-plugin/pull/33

Assignee:: Daniel Beck

Reporter:: Steve Todorov

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2014-11-19 13:38

Updated:: 2014-12-17 17:23

Resolved:: 2014-11-21 16:49

Jenkins

Details

Description

Attachments

Attachments

Issue Links

Activity

Collapse comment: Jesse Glick added a comment - 2014-11-19 15:24

Expand comment: Jesse Glick added a comment - 2014-11-19 15:24

Collapse comment: Jesse Glick added a comment - 2014-11-19 15:25

Expand comment: Jesse Glick added a comment - 2014-11-19 15:25

Collapse comment: Steve Todorov added a comment - 2014-11-19 16:21, Edited by Steve Todorov - 2014-11-19 16:21

Expand comment: Steve Todorov added a comment - 2014-11-19 16:21, Edited by Steve Todorov - 2014-11-19 16:21

Collapse comment: Daniel Beck added a comment - 2014-11-20 00:21

Expand comment: Daniel Beck added a comment - 2014-11-20 00:21

Collapse comment: Steve Todorov added a comment - 2014-11-20 18:19, Edited by Steve Todorov - 2014-11-20 18:20

Expand comment: Steve Todorov added a comment - 2014-11-20 18:19, Edited by Steve Todorov - 2014-11-20 18:20

Collapse comment: Daniel Beck added a comment - 2014-11-20 19:01

Expand comment: Daniel Beck added a comment - 2014-11-20 19:01

People

Dates