Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62054

Support action is displayed even if the user does not have the rights

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: support-core-plugin
    • Labels:
      None
    • Environment:
      Any version of the plugin
      Any core version
    • Similar Issues:
    • Released As:
      support-core-2.73

      Description

      Browse a Jenkins instance without admin rights (noticed with anonymous on the community Jenkins), and observe that you can see the Support link on the left of a Job. You can click on it and see the bundle generation screen.

      This is only a display issue, you cannot do more as the rest is protected. The screen itself doesn't show information you are not allowed to see.

      Same is also visible for the Computers.

        Attachments

          Issue Links

            Activity

            Hide
            aheritier Arnaud Héritier added a comment -

            Obviously there is a problem Pierre Beitz

            It's a not a security issue from my POV (Daniel Beck) because you cannot generate anything but I agree with you that we should fix it.

            Not sure about the fix you propose and why the permissions set in actions by Allan BURDAJEWICZ don't not work.

            Show
            aheritier Arnaud Héritier added a comment - Obviously there is a problem Pierre Beitz It's a not a security issue from my POV ( Daniel Beck ) because you cannot generate anything but I agree with you that we should fix it. Not sure about the fix you propose and why the permissions set in actions by Allan BURDAJEWICZ don't not work.
            Hide
            pierrebtz Pierre Beitz added a comment -

            Arnaud Héritier here is the link where I detected this: https://ci.jenkins.io/job/Plugins/job/shelve-project-plugin/job/master/29/support/

            I must admit I don't know how the management of permissions for an action in Jelly works. I have the same pattern in the shelve project plugin and I drive this with the java code (like I did in the PR for this task).

            Show
            pierrebtz Pierre Beitz added a comment - Arnaud Héritier here is the link where I detected this:  https://ci.jenkins.io/job/Plugins/job/shelve-project-plugin/job/master/29/support/ I must admit I don't know how the management of permissions for an action in Jelly works. I have the same pattern in the shelve project plugin and I drive this with the java code (like I did in the PR for this task).
            Hide
            aheritier Arnaud Héritier added a comment -

            Pierre Beitz Could it be with some specific settings and/or a specific security scheme ?

            It's surprising (I didn't test) because the actions are supposed to to require the permission SupportPlugin.CREATE_BUNDLE

            https://github.com/jenkinsci/support-core-plugin/blob/master/src/main/resources/com/cloudbees/jenkins/support/actions/SupportAbstractItemAction/action.jelly#L5

            https://github.com/jenkinsci/support-core-plugin/blob/master/src/main/resources/com/cloudbees/jenkins/support/actions/SupportComputerAction/action.jelly#L5

            https://github.com/jenkinsci/support-core-plugin/blob/master/src/main/resources/com/cloudbees/jenkins/support/actions/SupportRunAction/action.jelly#L5

            Also on our products when I don't have an admin permission I do not see them (but we are probably not using the lastest version of support-core). cc Allan BURDAJEWICZ

             

            Show
            aheritier Arnaud Héritier added a comment - Pierre Beitz Could it be with some specific settings and/or a specific security scheme ? It's surprising (I didn't test) because the actions are supposed to to require the permission SupportPlugin.CREATE_BUNDLE https://github.com/jenkinsci/support-core-plugin/blob/master/src/main/resources/com/cloudbees/jenkins/support/actions/SupportAbstractItemAction/action.jelly#L5 https://github.com/jenkinsci/support-core-plugin/blob/master/src/main/resources/com/cloudbees/jenkins/support/actions/SupportComputerAction/action.jelly#L5 https://github.com/jenkinsci/support-core-plugin/blob/master/src/main/resources/com/cloudbees/jenkins/support/actions/SupportRunAction/action.jelly#L5 Also on our products when I don't have an admin permission I do not see them (but we are probably not using the lastest version of support-core). cc Allan BURDAJEWICZ  

              People

              Assignee:
              allan_burdajewicz Allan BURDAJEWICZ
              Reporter:
              pierrebtz Pierre Beitz
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: