We can also reproduce this issue. Here are some additional information

• Folders Plugin: 6.1.2
• GitHub Pipeline for Blue Ocean: 1.2.0
• Matrix Authorization Strategy Plugin: 1.7

Activating "Block inheritance of global authorization matrix" on a Github Organization or folder will make the "Open Blue Ocean" button disappear from the left menu, even if you give all possible permissions to your user, group, or even anonymous.

thitho_007 can you add a comment in the form of "expected behavior..." to make it clear where it should appear? 

(also if there are any errors or anything, browser console or server side) may help

cc max_laverse any more reproduction instructions/color you can provide to help? 

Sure michaelneale

Reproduction:

• docker run --net=host jenkins/jenkins:lts
• go in manage plugin and install blueocean
• activate "Project-based Matrix Authorization Strategy" in global security and give all the rights to anonymous
• create two folders "test1" and "test2"
• in "test1", activate "Enable project-based security" and give all the rights no anonymous
• in "test2", activate "Enable project-based security", give all the rights no anonymous, and block inheritance

Result:

• you see the "Open Blue Ocean" link on the left menu of test1
• you can't see the "Open Blue Ocean" link on the left menu of test2

Expected:

• The "Open Blue Ocean" link should also appear in test2

I looked into the blue-ocean-rest-impl plugin. There doesn't seem to be any logic that decide if the link should be shown or hidden.

I added log traces in the folder plugin and it looks like the Actions is there even when it's not displayed.

I don't know Jenkins very well, but I think it could be in the matrix-authorization-plugin.

Fyi, with the matrix-authorization-plugin 2.0-beta-4 the link is also displayed when the inheritance is blocked, but it could also be that the plugin is broken (haven't tested it deeply)

Merging with JENKINS-45947 as I suspect there is a common cause.

Does this issue still occur in Matrix Auth Plugin 2.1 or newer with the revised options for permissions inheritance?

I was able to reproduce this problem and have found the cause. I consider this to be a bug in Blue Ocean: It checks the Overall/Read permission no matter in which context (folder, job, etc.) the sidepanel link would be displayed.

https://github.com/jenkinsci/blueocean-plugin/blob/77960a8dc21840ae5f6df784a26f91e09d7da621/blueocean-rest-impl/src/main/resources/io/jenkins/blueocean/service/embedded/BlueOceanUrlAction/action.jelly#L8

Global permissions are expected to not matter in the context of a folder, so the combination of not being able to grant them on a folder level, and not inheriting them from the global ACL, results in this permission check to fail if and only if you're in such a folder (or job – the same applies to jobs that don't inherit permissions).

While an argument could be made that Matrix Auth should always inherit Overall/Read (the same way Overall/Administer is – since Matrix Auth 2.0 – always inherited) for compatibility with buggy plugins, this is ultimately, IMO, a Blue Ocean bug.

FWIW the permission check here makes no sense anyway, as the link would not be displayed to anyone without Overall/Read permission. It only governs whether they can see the link, not whether they can get access.

Remove the linked line in the Jelly file and you're done. Someone up for some easy karma?

You need Overall/Read to do anything except use an UnprotectedRootAction, so explicitly checking it makes little sense. Anyway, I am not sure why matrix-auth would be blocking inheritance of Overall/* permissions, but it should not matter since they should only ever be checked on Jenkins to begin with. (I used to want to actually enforce PermissionScope at runtime, but there are some corner cases that would be tricky to fix compatibly.) So agreed that just removing that line from action.jelly should suffice.

FYI I asked about this in https://groups.google.com/d/msg/jenkinsci-dev/kg4UVxJ4gQQ/os-aPg85CAAJ

Is there any movement on this? Users are complaining the blue ocean button is not there. I have resorted to inheriting the permissions and adding but this is not ideal

This is also an issue with the github-oauth plugin. I'm going to try danielbeck's suggestion.

Pull Request: https://github.com/jenkinsci/blueocean-plugin/pull/2086