[JENKINS-31649] SECURITY-186 regression: non-item tasks hidden

Type: Bug
Resolution: Fixed
Priority: Major
Component/s: core
Labels:

Similar Issues:
Powered by SuggestiMate

Show

The fix for SECURITY-186 hides a lot of other tasks that should not be hidden... rather than testing for tasks that implement Item it should be checking against tasks that implement AccessControlled so that tasks can still remain visible

links to

workflow PR 258

SCM/JIRA link daemon added a comment - 2015-11-20 11:20

Code changed in jenkins
User: Stephen Connolly
Path:
core/src/main/java/hudson/model/Queue.java
http://jenkins-ci.org/commit/jenkins/cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2
Log:
[FIXED JENKINS-31649] Check should be against AccessControlled and Permission.READ

The previous check was to narrow.
We now check on AccessControlled (which is implemented by Item)
We now also check on Permission.READ (which is the generic read permission)

This should allow subtasks who's task may not be an Item to at least implement AccessControlled to alow visibility.

There remains an open question as to whether tasks that are not AccessControlled should ever be visible in the UI

SCM/JIRA link daemon added a comment - 2015-11-20 11:20 Code changed in jenkins User: Stephen Connolly Path: core/src/main/java/hudson/model/Queue.java http://jenkins-ci.org/commit/jenkins/cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2 Log: [FIXED JENKINS-31649] Check should be against AccessControlled and Permission.READ The previous check was to narrow. We now check on AccessControlled (which is implemented by Item) We now also check on Permission.READ (which is the generic read permission) This should allow subtasks who's task may not be an Item to at least implement AccessControlled to alow visibility. There remains an open question as to whether tasks that are not AccessControlled should ever be visible in the UI

SCM/JIRA link daemon added a comment - 2015-11-20 11:20

Code changed in jenkins
User: Stephen Connolly
Path:
core/src/main/java/hudson/model/Queue.java
http://jenkins-ci.org/commit/jenkins/46ef3a5776b9a60a1e5d364c29afda01fa09faed
Log:
Merge pull request #1919 from stephenc/jenkins-31649

[FIXED JENKINS-31649] Check should be against AccessControlled not Item

Compare: https://github.com/jenkinsci/jenkins/compare/23276180209b...46ef3a5776b9

SCM/JIRA link daemon added a comment - 2015-11-20 11:20 Code changed in jenkins User: Stephen Connolly Path: core/src/main/java/hudson/model/Queue.java http://jenkins-ci.org/commit/jenkins/46ef3a5776b9a60a1e5d364c29afda01fa09faed Log: Merge pull request #1919 from stephenc/jenkins-31649 [FIXED JENKINS-31649] Check should be against AccessControlled not Item Compare: https://github.com/jenkinsci/jenkins/compare/23276180209b...46ef3a5776b9

Jesse Glick added a comment - 2015-11-24 16:28

Reproducible in 1.625.2 even with no security: create a Workflow job

node('whatever') {}

and build. You should see an entry in the queue widget, but you do not.

Jesse Glick added a comment - 2015-11-24 16:28 Reproducible in 1.625.2 even with no security: create a Workflow job node( 'whatever' ) {} and build. You should see an entry in the queue widget, but you do not.

Jesse Glick added a comment - 2015-11-24 16:30

PR 1919 would not fix that. However I could make PlaceholderTask be AccessControlled, in which case a backport of this fix plus a plugin update would correct the regression.

Jesse Glick added a comment - 2015-11-24 16:30 PR 1919 would not fix that. However I could make PlaceholderTask be AccessControlled , in which case a backport of this fix plus a plugin update would correct the regression.

SCM/JIRA link daemon added a comment - 2015-11-25 09:22

Code changed in jenkins
User: Stephen Connolly
Path:
core/src/main/java/hudson/model/Queue.java
core/src/main/java/hudson/model/queue/AbstractQueueTask.java
http://jenkins-ci.org/commit/jenkins/e930da45ff4c48dfcaadc57e01485051d2a04b1d
Log:
~~JENKINS-31649~~ Tidy-up javadoc comments after merge of ~~JENKINS-31649~~

SCM/JIRA link daemon added a comment - 2015-11-25 09:22 Code changed in jenkins User: Stephen Connolly Path: core/src/main/java/hudson/model/Queue.java core/src/main/java/hudson/model/queue/AbstractQueueTask.java http://jenkins-ci.org/commit/jenkins/e930da45ff4c48dfcaadc57e01485051d2a04b1d Log: JENKINS-31649 Tidy-up javadoc comments after merge of JENKINS-31649

SCM/JIRA link daemon added a comment - 2015-11-25 16:16

Code changed in jenkins
User: Jesse Glick
Path:
CHANGES.md
aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/ExecutorStepTest.java
support/src/main/java/org/jenkinsci/plugins/workflow/support/steps/ExecutorStepExecution.java
http://jenkins-ci.org/commit/workflow-plugin/b9376a9f906dbb142acfe605be9c8358bcd66c3d
Log:
~~JENKINS-31649~~ When supported by Jenkins core, display queue items to authorized users.

SCM/JIRA link daemon added a comment - 2015-11-25 16:16 Code changed in jenkins User: Jesse Glick Path: CHANGES.md aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/ExecutorStepTest.java support/src/main/java/org/jenkinsci/plugins/workflow/support/steps/ExecutorStepExecution.java http://jenkins-ci.org/commit/workflow-plugin/b9376a9f906dbb142acfe605be9c8358bcd66c3d Log: JENKINS-31649 When supported by Jenkins core, display queue items to authorized users.

SCM/JIRA link daemon added a comment - 2015-11-25 16:16

Code changed in jenkins
User: Jesse Glick
Path:
CHANGES.md
aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/ExecutorStepTest.java
support/src/main/java/org/jenkinsci/plugins/workflow/support/steps/ExecutorStepExecution.java
http://jenkins-ci.org/commit/workflow-plugin/8dd67dd83e0ff60cdd284ae14e6316006c0eff34
Log:
Merge pull request #258 from jglick/PlaceholderTask-visibility-~~JENKINS-31649~~

~~JENKINS-31649~~ Integrate with post-SECURITY-186 queue item display policy

Compare: https://github.com/jenkinsci/workflow-plugin/compare/3d60b260ee0c...8dd67dd83e0f

SCM/JIRA link daemon added a comment - 2015-11-25 16:16 Code changed in jenkins User: Jesse Glick Path: CHANGES.md aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/ExecutorStepTest.java support/src/main/java/org/jenkinsci/plugins/workflow/support/steps/ExecutorStepExecution.java http://jenkins-ci.org/commit/workflow-plugin/8dd67dd83e0ff60cdd284ae14e6316006c0eff34 Log: Merge pull request #258 from jglick/PlaceholderTask-visibility- JENKINS-31649 JENKINS-31649 Integrate with post-SECURITY-186 queue item display policy Compare: https://github.com/jenkinsci/workflow-plugin/compare/3d60b260ee0c...8dd67dd83e0f

SCM/JIRA link daemon added a comment - 2015-11-25 19:05

Code changed in jenkins
User: Stephen Connolly
Path:
core/src/main/java/hudson/model/Queue.java
http://jenkins-ci.org/commit/jenkins/b51653d2bfa1a8b4e854bb0991202879e7228da8
Log:
[FIXED JENKINS-31649] Check should be against AccessControlled and Permission.READ

The previous check was to narrow.
We now check on AccessControlled (which is implemented by Item)
We now also check on Permission.READ (which is the generic read permission)

This should allow subtasks who's task may not be an Item to at least implement AccessControlled to alow visibility.

There remains an open question as to whether tasks that are not AccessControlled should ever be visible in the UI

(cherry picked from commit cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2)

SCM/JIRA link daemon added a comment - 2015-11-25 19:05 Code changed in jenkins User: Stephen Connolly Path: core/src/main/java/hudson/model/Queue.java http://jenkins-ci.org/commit/jenkins/b51653d2bfa1a8b4e854bb0991202879e7228da8 Log: [FIXED JENKINS-31649] Check should be against AccessControlled and Permission.READ The previous check was to narrow. We now check on AccessControlled (which is implemented by Item) We now also check on Permission.READ (which is the generic read permission) This should allow subtasks who's task may not be an Item to at least implement AccessControlled to alow visibility. There remains an open question as to whether tasks that are not AccessControlled should ever be visible in the UI (cherry picked from commit cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2)

dogfood added a comment - 2015-11-26 23:41

Integrated in jenkins_main_trunk #4373
[FIXED JENKINS-31649] Check should be against AccessControlled and Permission.READ (Revision cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2)
~~JENKINS-31649~~ Tidy-up javadoc comments after merge of ~~JENKINS-31649~~ (Revision e930da45ff4c48dfcaadc57e01485051d2a04b1d)
[FIXED JENKINS-31649] Check should be against AccessControlled and Permission.READ (Revision b51653d2bfa1a8b4e854bb0991202879e7228da8)

Result = SUCCESS
stephen connolly : cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2
Files :

core/src/main/java/hudson/model/Queue.java

stephen connolly : e930da45ff4c48dfcaadc57e01485051d2a04b1d
Files :

core/src/main/java/hudson/model/Queue.java
core/src/main/java/hudson/model/queue/AbstractQueueTask.java

ogondza : b51653d2bfa1a8b4e854bb0991202879e7228da8
Files :

core/src/main/java/hudson/model/Queue.java

dogfood added a comment - 2015-11-26 23:41 Integrated in jenkins_main_trunk #4373 [FIXED JENKINS-31649] Check should be against AccessControlled and Permission.READ (Revision cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2) JENKINS-31649 Tidy-up javadoc comments after merge of JENKINS-31649 (Revision e930da45ff4c48dfcaadc57e01485051d2a04b1d) [FIXED JENKINS-31649] Check should be against AccessControlled and Permission.READ (Revision b51653d2bfa1a8b4e854bb0991202879e7228da8) Result = SUCCESS stephen connolly : cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2 Files : core/src/main/java/hudson/model/Queue.java stephen connolly : e930da45ff4c48dfcaadc57e01485051d2a04b1d Files : core/src/main/java/hudson/model/Queue.java core/src/main/java/hudson/model/queue/AbstractQueueTask.java ogondza : b51653d2bfa1a8b4e854bb0991202879e7228da8 Files : core/src/main/java/hudson/model/Queue.java

dogfood added a comment - 2016-01-14 12:10

Integrated in jenkins_2.0 #5
[FIXED JENKINS-31649] Check should be against AccessControlled and (Revision cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2)
~~JENKINS-31649~~ Tidy-up javadoc comments after merge of ~~JENKINS-31649~~ (Revision e930da45ff4c48dfcaadc57e01485051d2a04b1d)
[FIXED JENKINS-31649] Check should be against AccessControlled and (Revision b51653d2bfa1a8b4e854bb0991202879e7228da8)

Result = SUCCESS
stephen connolly : cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2
Files :

core/src/main/java/hudson/model/Queue.java

stephen connolly : e930da45ff4c48dfcaadc57e01485051d2a04b1d
Files :

core/src/main/java/hudson/model/Queue.java
core/src/main/java/hudson/model/queue/AbstractQueueTask.java

ogondza : b51653d2bfa1a8b4e854bb0991202879e7228da8
Files :

core/src/main/java/hudson/model/Queue.java

dogfood added a comment - 2016-01-14 12:10 Integrated in jenkins_2.0 #5 [FIXED JENKINS-31649] Check should be against AccessControlled and (Revision cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2) JENKINS-31649 Tidy-up javadoc comments after merge of JENKINS-31649 (Revision e930da45ff4c48dfcaadc57e01485051d2a04b1d) [FIXED JENKINS-31649] Check should be against AccessControlled and (Revision b51653d2bfa1a8b4e854bb0991202879e7228da8) Result = SUCCESS stephen connolly : cf1fdf98e435b4c7df54f1a8e958d185f1a0f3d2 Files : core/src/main/java/hudson/model/Queue.java stephen connolly : e930da45ff4c48dfcaadc57e01485051d2a04b1d Files : core/src/main/java/hudson/model/Queue.java core/src/main/java/hudson/model/queue/AbstractQueueTask.java ogondza : b51653d2bfa1a8b4e854bb0991202879e7228da8 Files : core/src/main/java/hudson/model/Queue.java

Assignee:: Stephen Connolly

Reporter:: Stephen Connolly

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2015-11-19 11:45

Updated:: 2016-08-29 17:27

Resolved:: 2015-11-20 11:20

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: SCM/JIRA link daemon added a comment - 2015-11-20 11:20

Expand comment: SCM/JIRA link daemon added a comment - 2015-11-20 11:20

Collapse comment: SCM/JIRA link daemon added a comment - 2015-11-20 11:20

Expand comment: SCM/JIRA link daemon added a comment - 2015-11-20 11:20

Collapse comment: Jesse Glick added a comment - 2015-11-24 16:28

Expand comment: Jesse Glick added a comment - 2015-11-24 16:28

Collapse comment: Jesse Glick added a comment - 2015-11-24 16:30

Expand comment: Jesse Glick added a comment - 2015-11-24 16:30

Collapse comment: SCM/JIRA link daemon added a comment - 2015-11-25 09:22

Expand comment: SCM/JIRA link daemon added a comment - 2015-11-25 09:22

Collapse comment: SCM/JIRA link daemon added a comment - 2015-11-25 16:16

Expand comment: SCM/JIRA link daemon added a comment - 2015-11-25 16:16

Collapse comment: SCM/JIRA link daemon added a comment - 2015-11-25 16:16

Expand comment: SCM/JIRA link daemon added a comment - 2015-11-25 16:16

Collapse comment: SCM/JIRA link daemon added a comment - 2015-11-25 19:05

Expand comment: SCM/JIRA link daemon added a comment - 2015-11-25 19:05

Collapse comment: dogfood added a comment - 2015-11-26 23:41

Expand comment: dogfood added a comment - 2015-11-26 23:41

Collapse comment: dogfood added a comment - 2016-01-14 12:10

Expand comment: dogfood added a comment - 2016-01-14 12:10

People

Dates