Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2745

Project-based perms granted to Anonymous not treated like "Everybody", just Anonymous

    • Icon: Patch Patch
    • Resolution: Fixed
    • Icon: Major Major
    • _unsorted
    • None
    • Platform: All, OS: All

      This is a new issue after commit of r13654 to fix issue #2186.

      Permissions granted to Anonymous at global level will apply to everybody, even
      if their row in global matrix doesn't have that permission checked. This is
      because _hasPermission in GlobalMatrixAuthorizationStrategy checks Anonymous
      after the things that SidACL._hasPermission checks (user,groups,Everybody).

      AuthorizationMatrixProperty also has this extra Anonymous check in
      _hasPermission.. however, it is no longer used because the inner class in
      SidACL.newInheritingACL calls child and
      parent.hasPermission(Sid,Permission) directly, so it bypasses
      _hasPermission(Authentication,Permission) in those SidImpl classes.

      Here are the steps to see the ANONYMOUS problem:

      1. Global perms:
      Anonymous does not have Workspace permission
      UserX is either not listed, or does not have Workspace permission
      2. ProjectX perms:
      Anonymous does have Workspace permission
      UserX is listed and does not have Workspace permission

      When UserX logs in and visits some project that does not have any
      project-specific permission, he can see the workspace (it will use only root
      ACL, so anonymous is checked). But when UserX visits ProjectX it does not show
      the Workspace. He can logout and see the workspace as anonymous, however (since
      anonymous is the actual user, that row IS checked).

      The workaround is easy (if you grant something to anonymous in a project, always
      check that box in every other row in that matrix), but this does seem like a
      bug, no? Different behavior in the global matrix and project matrix.

          [JENKINS-2745] Project-based perms granted to Anonymous not treated like "Everybody", just Anonymous

          Alan Harder added a comment -

          Linking to issue #2186

          Alan Harder added a comment - Linking to issue #2186

          Alan Harder added a comment -

          Attached patch moves "anonymous applies to everyone" check from the child
          classes into SidACL itself, so it will be checked for the inheritingACL instance
          too.

          Alan Harder added a comment - Attached patch moves "anonymous applies to everyone" check from the child classes into SidACL itself, so it will be checked for the inheritingACL instance too.

          Alan Harder added a comment -

          Created an attachment (id=488)
          Check anonymous permission in SidACL._hasPermission

          Alan Harder added a comment - Created an attachment (id=488) Check anonymous permission in SidACL._hasPermission

          Alan Harder added a comment -

          http://fisheye4.atlassian.com/changelog/hudson/?cs=13808

          [FIXED JENKINS-2745] Project-based perms granted to Anonymous were not treated
          like Everyone,
          just Anonymous.
          Added ANONYMOUS check in SidACL._hasPermissions so it will also
          apply for newInheritingACL() result. This check is moved from
          GlobalMatrixAuthorizationStrategy and AuthorizationMatrixProperty.
          Also added SidACL.toString(Sid), so each child class doesn't need
          a copy of this code. In this method, added check for p==EVERYONE
          so that Sid can be handled, if needed for future use.

          M security/SidACL.java
          M security/GlobalMatrixAuthorizationStrategy.java
          M security/AuthorizationMatrixProperty.java

          Alan Harder added a comment - http://fisheye4.atlassian.com/changelog/hudson/?cs=13808 [FIXED JENKINS-2745] Project-based perms granted to Anonymous were not treated like Everyone, just Anonymous. Added ANONYMOUS check in SidACL._hasPermissions so it will also apply for newInheritingACL() result. This check is moved from GlobalMatrixAuthorizationStrategy and AuthorizationMatrixProperty. Also added SidACL.toString(Sid), so each child class doesn't need a copy of this code. In this method, added check for p==EVERYONE so that Sid can be handled, if needed for future use. M security/SidACL.java M security/GlobalMatrixAuthorizationStrategy.java M security/AuthorizationMatrixProperty.java

          Alan Harder added a comment -

          Fixed, see above comment.

          Alan Harder added a comment - Fixed, see above comment.

            mindless Alan Harder
            mindless Alan Harder
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: