Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-26427

Anonymous can delete data file

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • cluster-stats-plugin
    • None

      While looking how to show the stats in a dashboard for the benefit or a larger audience that the admins.. I noticed that the url plugin/cluster-stats/ 'just' works, even for anonymous users.. that is fine, except that the button 'Delete Recorded Information' is also there... that is less 'fine'...

      PS: I have not checked if click the button actually delete the data.. I'm in no rush to loose it

      In order of preference:

      • the two button are not shown unless you are admin
      • the buttons are shown but do not do anything (or error-out) if not admin
      • the whole page is protected and require admin

          [JENKINS-26427] Anonymous can delete data file

          Norbert Thiebaud created issue -

          Daniel Beck added a comment -

          There seems to be no permission check in the form submission handler.
          https://github.com/jenkinsci/cluster-stats/blob/master/src/main/java/org/zeroturnaround/stats/ClusterStatisticsPlugin.java#L67

          Daniel Beck added a comment - There seems to be no permission check in the form submission handler. https://github.com/jenkinsci/cluster-stats/blob/master/src/main/java/org/zeroturnaround/stats/ClusterStatisticsPlugin.java#L67
          Daniel Beck made changes -
          Priority Original: Minor [ 4 ] New: Critical [ 2 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 160494 ] New: JNJira + In-Review [ 180373 ]

            Unassigned Unassigned
            shmget Norbert Thiebaud
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: