Details
-
Bug
-
Status: Resolved (View Workflow)
-
Major
-
Resolution: Fixed
Description
2.32.2. Set up Jenkins from the setup wizard. Install matrix-auth and configure admin to have everything but anonymous to have only discover, and Save. You will see config.xml as expected:
<authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy"> <permission>hudson.model.Hudson.Administer:admin</permission> <permission>hudson.model.Hudson.Read:anonymous</permission> <permission>hudson.model.Item.Discover:anonymous</permission> </authorizationStrategy>
Yet after restart if you revisit /configureSecurity, in the UI and reality, anonymous is granted Item.READ.
Seems that the JENKINS-2324 workaround is incorrectly being applied, since Jenkins.isUpgradedFromBefore is broken, since version on config.xml is still 1.0!
Workaround is to go to /configure and Save.
Attachments
Issue Links
- blocks
-
JENKINS-2324 Feature - Set read permission by project for project-based security
-
- Resolved
-
- depends on
-
JENKINS-47139 Initial Access Regression in 2.80?
-
- Resolved
-
- is duplicated by
-
JENKINS-17081 Permission "hudson.model.Item.Read:anonymous" coming from nowhere
-
- Resolved
-
- is related to
-
JENKINS-63868 PlaceholderTask.getOwnerTask vulnerable to AccessDeniedException
-
- Resolved
-
- relates to
-
JENKINS-42556 PlaceholderTask.runForDisplay vulnerable to AccessDeniedException
-
- Resolved
-
- links to
I presume you never confirmed that the originally reported bug was actually fixed, since the reproduction steps involve going through the setup wizard, which was broken by this as detailed in
JENKINS-47139.