Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2745

Project-based perms granted to Anonymous not treated like "Everybody", just Anonymous

    XMLWordPrintable

Details

    • Patch
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • _unsorted
    • None
    • Platform: All, OS: All

    Description

      This is a new issue after commit of r13654 to fix issue #2186.

      Permissions granted to Anonymous at global level will apply to everybody, even
      if their row in global matrix doesn't have that permission checked. This is
      because _hasPermission in GlobalMatrixAuthorizationStrategy checks Anonymous
      after the things that SidACL._hasPermission checks (user,groups,Everybody).

      AuthorizationMatrixProperty also has this extra Anonymous check in
      _hasPermission.. however, it is no longer used because the inner class in
      SidACL.newInheritingACL calls child and
      parent.hasPermission(Sid,Permission) directly, so it bypasses
      _hasPermission(Authentication,Permission) in those SidImpl classes.

      Here are the steps to see the ANONYMOUS problem:

      1. Global perms:
      Anonymous does not have Workspace permission
      UserX is either not listed, or does not have Workspace permission
      2. ProjectX perms:
      Anonymous does have Workspace permission
      UserX is listed and does not have Workspace permission

      When UserX logs in and visits some project that does not have any
      project-specific permission, he can see the workspace (it will use only root
      ACL, so anonymous is checked). But when UserX visits ProjectX it does not show
      the Workspace. He can logout and see the workspace as anonymous, however (since
      anonymous is the actual user, that row IS checked).

      The workaround is easy (if you grant something to anonymous in a project, always
      check that box in every other row in that matrix), but this does seem like a
      bug, no? Different behavior in the global matrix and project matrix.

      Attachments

        Issue Links

          Activity

            mindless Alan Harder added a comment -

            Linking to issue #2186

            mindless Alan Harder added a comment - Linking to issue #2186
            mindless Alan Harder added a comment -

            Attached patch moves "anonymous applies to everyone" check from the child
            classes into SidACL itself, so it will be checked for the inheritingACL instance
            too.

            mindless Alan Harder added a comment - Attached patch moves "anonymous applies to everyone" check from the child classes into SidACL itself, so it will be checked for the inheritingACL instance too.
            mindless Alan Harder added a comment -

            Created an attachment (id=488)
            Check anonymous permission in SidACL._hasPermission

            mindless Alan Harder added a comment - Created an attachment (id=488) Check anonymous permission in SidACL._hasPermission
            mindless Alan Harder added a comment -

            http://fisheye4.atlassian.com/changelog/hudson/?cs=13808

            [FIXED JENKINS-2745] Project-based perms granted to Anonymous were not treated
            like Everyone,
            just Anonymous.
            Added ANONYMOUS check in SidACL._hasPermissions so it will also
            apply for newInheritingACL() result. This check is moved from
            GlobalMatrixAuthorizationStrategy and AuthorizationMatrixProperty.
            Also added SidACL.toString(Sid), so each child class doesn't need
            a copy of this code. In this method, added check for p==EVERYONE
            so that Sid can be handled, if needed for future use.

            M security/SidACL.java
            M security/GlobalMatrixAuthorizationStrategy.java
            M security/AuthorizationMatrixProperty.java

            mindless Alan Harder added a comment - http://fisheye4.atlassian.com/changelog/hudson/?cs=13808 [FIXED JENKINS-2745] Project-based perms granted to Anonymous were not treated like Everyone, just Anonymous. Added ANONYMOUS check in SidACL._hasPermissions so it will also apply for newInheritingACL() result. This check is moved from GlobalMatrixAuthorizationStrategy and AuthorizationMatrixProperty. Also added SidACL.toString(Sid), so each child class doesn't need a copy of this code. In this method, added check for p==EVERYONE so that Sid can be handled, if needed for future use. M security/SidACL.java M security/GlobalMatrixAuthorizationStrategy.java M security/AuthorizationMatrixProperty.java
            mindless Alan Harder added a comment -

            Fixed, see above comment.

            mindless Alan Harder added a comment - Fixed, see above comment.

            People

              mindless Alan Harder
              mindless Alan Harder
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: