Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-5265

Downstream job connections lost when using per-project read permission

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • core
    • None
    • 1.341-SNAPSHOT

    Description

      hudson.model.DependencyGraph uses Hudson.getAllItems to find the projects to use in building the graph.. this method filters the results by Item.READ permission, so if it is run by a non-admin it may not actually look at all projects to build the dependency graph! Thus if a Hudson uses per-project read permissions and someone who can't see all jobs saves a job config, the graph is rebuilt with projects missing. If those missing projects now get built then the downstream jobs are not triggered. The job pages for those projects also don't show the upstream/downstream job links until the dependency graph is rebuilt correctly (a job config saved by an admin user).

      Attachments

        Activity

          That sounds like a real bug.

          I suggest we impersonate the system user while rebuilding the dependency graph.

          kohsuke Kohsuke Kawaguchi added a comment - That sounds like a real bug. I suggest we impersonate the system user while rebuilding the dependency graph.

          Code changed in hudson
          User: : mindless
          Path:
          trunk/hudson/main/core/src/main/java/hudson/model/DependencyGraph.java
          trunk/hudson/main/test/src/test/java/hudson/model/DependencyGraphTest.java
          trunk/hudson/main/test/src/test/resources/hudson/model/DependencyGraphTest/testItemReadPermission.zip
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=25821
          Log:
          [FIXED JENKINS-5265] set system privileges while building DependencyGraph so no jobs
          are missed if the current user can't see them all (per-project read permissions).
          Added unit tests for this and JENKINS-5236.

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : mindless Path: trunk/hudson/main/core/src/main/java/hudson/model/DependencyGraph.java trunk/hudson/main/test/src/test/java/hudson/model/DependencyGraphTest.java trunk/hudson/main/test/src/test/resources/hudson/model/DependencyGraphTest/testItemReadPermission.zip trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=25821 Log: [FIXED JENKINS-5265] set system privileges while building DependencyGraph so no jobs are missed if the current user can't see them all (per-project read permissions). Added unit tests for this and JENKINS-5236 .

          People

            mindless Alan Harder
            mindless Alan Harder
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: