Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-5265

Downstream job connections lost when using per-project read permission

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Environment:
      1.341-SNAPSHOT
    • Similar Issues:

      Description

      hudson.model.DependencyGraph uses Hudson.getAllItems to find the projects to use in building the graph.. this method filters the results by Item.READ permission, so if it is run by a non-admin it may not actually look at all projects to build the dependency graph! Thus if a Hudson uses per-project read permissions and someone who can't see all jobs saves a job config, the graph is rebuilt with projects missing. If those missing projects now get built then the downstream jobs are not triggered. The job pages for those projects also don't show the upstream/downstream job links until the dependency graph is rebuilt correctly (a job config saved by an admin user).

        Attachments

          Activity

          Hide
          kohsuke Kohsuke Kawaguchi added a comment -

          That sounds like a real bug.

          I suggest we impersonate the system user while rebuilding the dependency graph.

          Show
          kohsuke Kohsuke Kawaguchi added a comment - That sounds like a real bug. I suggest we impersonate the system user while rebuilding the dependency graph.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : mindless
          Path:
          trunk/hudson/main/core/src/main/java/hudson/model/DependencyGraph.java
          trunk/hudson/main/test/src/test/java/hudson/model/DependencyGraphTest.java
          trunk/hudson/main/test/src/test/resources/hudson/model/DependencyGraphTest/testItemReadPermission.zip
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=25821
          Log:
          [FIXED JENKINS-5265] set system privileges while building DependencyGraph so no jobs
          are missed if the current user can't see them all (per-project read permissions).
          Added unit tests for this and JENKINS-5236.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : mindless Path: trunk/hudson/main/core/src/main/java/hudson/model/DependencyGraph.java trunk/hudson/main/test/src/test/java/hudson/model/DependencyGraphTest.java trunk/hudson/main/test/src/test/resources/hudson/model/DependencyGraphTest/testItemReadPermission.zip trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=25821 Log: [FIXED JENKINS-5265] set system privileges while building DependencyGraph so no jobs are missed if the current user can't see them all (per-project read permissions). Added unit tests for this and JENKINS-5236 .

            People

            Assignee:
            mindless Alan Harder
            Reporter:
            mindless Alan Harder
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: