Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67139

Favorite is implementing its own anonymous check, potentially breaking 3rd party sec realm

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Trivial Trivial
    • favorite-plugin
    • None
    •  2.204.vef3c36862054

      Code location: https://github.com/jenkinsci/favorite-plugin/blob/67de45c325f99da9dbb637fa304d29992ae16715/src/main/java/hudson/plugins/favorite/FavoritePlugin.java#L60-L62

      Recommendation: use Jenkins.get().getAuthentication() and then use ACL.isAnonymous2(), will take care of user with "anonymous" as their real login coming from third party security realm (it's forbidden in the embedded security realm)

          [JENKINS-67139] Favorite is implementing its own anonymous check, potentially breaking 3rd party sec realm

          Wadeck Follonier added a comment - - edited Also similar method in https://github.com/jenkinsci/favorite-plugin/blob/67de45c325f99da9dbb637fa304d29992ae16715/src/main/java/hudson/plugins/favorite/project/FavoriteProjectAction.java#L63-L67 and finally: https://github.com/jenkinsci/favorite-plugin/blob/67de45c325f99da9dbb637fa304d29992ae16715/src/main/java/hudson/plugins/favorite/column/FavoriteColumn.java#L89-L92

            Unassigned Unassigned
            wfollonier Wadeck Follonier
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: