Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-6731

Hudson CLI allow anonymous user to restart, clear-queue (and probably some other) even with no rights

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Critical Critical
    • cli
    • None
    • Hudson ver. 1.361 / Ubuntu 8.04 Server / Tomcat 5.5 / Java 6

      With Matrix based security (delegated to Servlet container), with EVERY right removed (not even read) to the Anonymous role, i am still able to remotely run restart, clear-queue using, version, ... using the hudson-cli (and probably others i didnt try). However, some actions like reload-configuration correctly fail with hudson.security.AccessDeniedException2: anonymous is missing the Administer permission).

          [JENKINS-6731] Hudson CLI allow anonymous user to restart, clear-queue (and probably some other) even with no rights

          dprunier created issue -

          Alan Harder added a comment -

          This was fixed in 1.371 as issue SECURITY-5

          Alan Harder added a comment - This was fixed in 1.371 as issue SECURITY-5
          Alan Harder made changes -
          Link New: This issue duplicates SECURITY-5 [ SECURITY-5 ]

          Alan Harder added a comment -

          Thanks for the report!
          (there's a SECURITY project you can use in future)

          Alan Harder added a comment - Thanks for the report! (there's a SECURITY project you can use in future)
          Alan Harder made changes -
          Resolution New: Duplicate [ 3 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 136826 ] New: JNJira + In-Review [ 187295 ]

            Unassigned Unassigned
            dprunier dprunier
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: