-
Task
-
Resolution: Fixed
-
Critical
-
None
-
-
1.0
Users that lack the "create job" permission should not be able to access the Creation flow as they cannot actually complete it: it will fail with a 403 at the end.
Scope
- Only show the "New Pipeline" button on Dashboard for users with "create job"
- If the user navigates directly to the "create-pipeline" URL, we should short-circuit the Creation flow for users lacking the "create job" permission
- Do the same short-circuit for "create-pipeline" if the user has not authenticated
Notes
- Need to update core-js User to automatically expose data from the passed in "blueUser" otherwise we'll have to touch this time every time we want to expose new data.
- is blocked by
-
-
- Resolved
-
-
-
- Closed
-
- relates to
-
JENKINS-41373 Github SCM "creation" returns unhandled 403 exception when user lacks "create job" permission
-
- Closed
-
-
-
- Closed
-
[JENKINS-41434] Restrict access to Creation Flow for users with insufficient permissions
The permissions data is already being written into the page via the preloader stuff, so it's available without a separate REST fetch. However, in core-js, the User object is wrapping this data, and explicitly exposing a known list of properties. This is probably bad for extensibility and probably a maintenance headache. We probably just want to Object.assign(this, blueUser) and call it a day 
We can't resolve this now as we can't test logged in users in the ATH.
Sorry to keep beating the dead horse but this "anonymous ATH" problem really does need to get tackled soon. Our entire test suite is running in a configuration that we're more or less discouraging. Not good 
yes I think this should be postponed until we have real users in ATH
Since the backend enforces security on the REST API, I don't view this as a critical issue. However it will be frustrating for end users to move through the creation flow and receive an error at the end if they lack the right permission. jamesdumay feel free to prioritize this accordingly.