[JENKINS-6731] Hudson CLI allow anonymous user to restart, clear-queue (and probably some other) even with no rights

Type: Bug
Resolution: Duplicate
Priority: Critical
Component/s: cli
Labels:
None
Environment:
Hudson ver. 1.361 / Ubuntu 8.04 Server / Tomcat 5.5 / Java 6

Similar Issues:
Powered by SuggestiMate

Show

With Matrix based security (delegated to Servlet container), with EVERY right removed (not even read) to the Anonymous role, i am still able to remotely run restart, clear-queue using, version, ... using the hudson-cli (and probably others i didnt try). However, some actions like reload-configuration correctly fail with hudson.security.AccessDeniedException2: anonymous is missing the Administer permission).

Alan Harder added a comment - 2010-08-12 20:37

This was fixed in 1.371 as issue SECURITY-5

Alan Harder added a comment - 2010-08-12 20:37 This was fixed in 1.371 as issue SECURITY-5

Alan Harder added a comment - 2010-08-12 20:38

Thanks for the report!
(there's a SECURITY project you can use in future)

Alan Harder added a comment - 2010-08-12 20:38 Thanks for the report! (there's a SECURITY project you can use in future)

Assignee:: Unassigned

Reporter:: dprunier

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2010-06-09 09:45

Updated:: 2010-08-12 20:38

Resolved:: 2010-08-12 20:38

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Alan Harder added a comment - 2010-08-12 20:37

Expand comment: Alan Harder added a comment - 2010-08-12 20:37

Collapse comment: Alan Harder added a comment - 2010-08-12 20:38

Expand comment: Alan Harder added a comment - 2010-08-12 20:38

People

Dates