Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2745

Project-based perms granted to Anonymous not treated like "Everybody", just Anonymous


    • Icon: Patch Patch
    • Resolution: Fixed
    • Icon: Major Major
    • _unsorted
    • None
    • Platform: All, OS: All

      This is a new issue after commit of r13654 to fix issue #2186.

      Permissions granted to Anonymous at global level will apply to everybody, even
      if their row in global matrix doesn't have that permission checked. This is
      because _hasPermission in GlobalMatrixAuthorizationStrategy checks Anonymous
      after the things that SidACL._hasPermission checks (user,groups,Everybody).

      AuthorizationMatrixProperty also has this extra Anonymous check in
      _hasPermission.. however, it is no longer used because the inner class in
      SidACL.newInheritingACL calls child and
      parent.hasPermission(Sid,Permission) directly, so it bypasses
      _hasPermission(Authentication,Permission) in those SidImpl classes.

      Here are the steps to see the ANONYMOUS problem:

      1. Global perms:
      Anonymous does not have Workspace permission
      UserX is either not listed, or does not have Workspace permission
      2. ProjectX perms:
      Anonymous does have Workspace permission
      UserX is listed and does not have Workspace permission

      When UserX logs in and visits some project that does not have any
      project-specific permission, he can see the workspace (it will use only root
      ACL, so anonymous is checked). But when UserX visits ProjectX it does not show
      the Workspace. He can logout and see the workspace as anonymous, however (since
      anonymous is the actual user, that row IS checked).

      The workaround is easy (if you grant something to anonymous in a project, always
      check that box in every other row in that matrix), but this does seem like a
      bug, no? Different behavior in the global matrix and project matrix.

            mindless Alan Harder
            mindless Alan Harder
            0 Vote for this issue
            0 Start watching this issue