-
Bug
-
Resolution: Fixed
-
Critical
-
-
github-oauth-0.31
When updating to Jenkins 2.146 the "GitHub Committer Authorization strategy" no longer works.
Users can log in but get granted no permissions at all.
Downgrading to Jenkins 2.145 fixes the issue (but due to security advisories being present isn't a good solution at all)
Setting logging to FINEST shows the plugin "tries" to grant the correct permissions, but Jenkins does not seem to respect them.
- is duplicated by
-
JENKINS-54990 404 on jenkins lts 2.138.2/3 github org workflow/multibranch jobs with github authorization
-
- Closed
-
It seems that GitHub OAuth plugin ignores permission relationships, specifically permissions implied by Item/Read with allowAnonymousReadPermission set.
Item/Discover is declared to be implied by Item/Read: https://github.com/jenkinsci/jenkins/blob/371b9c134681e3e04f52a5e0bb39c747e6d44c45/core/src/main/java/hudson/model/Item.java#L258
That's what the Stapler routing hardening in 2.138.2 and 2.146 assumes to be the case to make this nice and succinct: https://github.com/jenkinsci/jenkins/blob/371b9c134681e3e04f52a5e0bb39c747e6d44c45/core/src/main/java/hudson/model/AbstractItem.java#L942...L949 (This slightly more readable code that'll make it into 2.147 after https://github.com/jenkinsci/jenkins/pull/3690 but functionally in this regard identical to what's in 2.138.2)
GitHub OAuth needs to handle permissions implied by those it grants, at least Item/Discover. I'm pretty OK with the behavior in core.
Meanwhile, you could set the system property hudson.model.AbstractItem.skipPermissionCheck to true ( https://wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties ), but note that this disables a security improvement.