Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-6832

When users without any permissions trying to Delete the view, there is fatal error

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: _unsorted
    • Labels:
      None
    • Environment:
      Debian 5.0 (lenny), Hudson ver. 1.358 with LDAP
    • Similar Issues:

      Description

      1. First of all going to /me/my-views/view/All/ user see all menu items which shouldn't see, like: New Job, Manage Hudson, People, Build History, Delete View, My Views
      2. Then clicking on 'Delete View'
      3. Choose Yes on question: 'Are you sure about deleting the view?'

      Then you will see following error:

      Status Code: 500
      Backtrace:
      Exception:
      Stacktrace:
      java.lang.IllegalStateException
      at hudson.model.MyViewsProperty.deleteView(MyViewsProperty.java:118)
      at hudson.model.View.doDoDelete(View.java:593)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)

        Attachments

          Activity

          Hide
          mindless Alan Harder added a comment - - edited

          root cause for extra links:
          sidepanel.jelly is checking permissions for which links to show.. "it" here a view whose getOwner() is a MyViewsProperty and getACL is based on the User object.. A user has full permission of its own object, so the view page incorrectly shows every possible link.

          root cause for delete failure:
          need to hide the "delete view" link when "my-views" has only ONE view (can't delete the last one).

          Show
          mindless Alan Harder added a comment - - edited root cause for extra links: sidepanel.jelly is checking permissions for which links to show.. "it" here a view whose getOwner() is a MyViewsProperty and getACL is based on the User object.. A user has full permission of its own object, so the view page incorrectly shows every possible link. root cause for delete failure: need to hide the "delete view" link when "my-views" has only ONE view (can't delete the last one).
          Hide
          kenorb kenorb added a comment -

          It's something that can be fixed, or I should provide more details?

          Show
          kenorb kenorb added a comment - It's something that can be fixed, or I should provide more details?
          Hide
          mindless Alan Harder added a comment -

          We have all the info, thanks. I was just making some notes in case someone wants to fix this before I get around to it..

          Show
          mindless Alan Harder added a comment - We have all the info, thanks. I was just making some notes in case someone wants to fix this before I get around to it..
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : mindless
          Path:
          trunk/hudson/main/core/src/main/java/hudson/model/Hudson.java
          trunk/hudson/main/core/src/main/java/hudson/model/MyViewsProperty.java
          trunk/hudson/main/core/src/main/java/hudson/model/TreeView.java
          trunk/hudson/main/core/src/main/java/hudson/model/ViewGroup.java
          trunk/hudson/main/core/src/main/resources/hudson/model/Messages.properties
          trunk/hudson/main/core/src/main/resources/hudson/model/View/sidepanel.jelly
          trunk/www/changelog.html
          http://jenkins-ci.org/commit/32319
          Log:
          [FIXED JENKINS-6832] Hide some sidepanel links that should not be shown in
          user-private views. Use it="${app}" for Manage Hudson and New Job links,
          so these check the proper permission. Replaced !it.isDefault() check
          with new ViewGroup.canDelete API call.. Hudson ViewGroup uses isDefault()
          for this method; MyViewsProperty checks views.size() > 1 so link is
          hidden when there is only one user-private view.
          Used !=false in jelly for backward compatibility (if a plugin implements
          ViewGroup but does not have canDelete, null!=false will result in true).

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : mindless Path: trunk/hudson/main/core/src/main/java/hudson/model/Hudson.java trunk/hudson/main/core/src/main/java/hudson/model/MyViewsProperty.java trunk/hudson/main/core/src/main/java/hudson/model/TreeView.java trunk/hudson/main/core/src/main/java/hudson/model/ViewGroup.java trunk/hudson/main/core/src/main/resources/hudson/model/Messages.properties trunk/hudson/main/core/src/main/resources/hudson/model/View/sidepanel.jelly trunk/www/changelog.html http://jenkins-ci.org/commit/32319 Log: [FIXED JENKINS-6832] Hide some sidepanel links that should not be shown in user-private views. Use it="${app}" for Manage Hudson and New Job links, so these check the proper permission. Replaced !it.isDefault() check with new ViewGroup.canDelete API call.. Hudson ViewGroup uses isDefault() for this method; MyViewsProperty checks views.size() > 1 so link is hidden when there is only one user-private view. Used !=false in jelly for backward compatibility (if a plugin implements ViewGroup but does not have canDelete, null!=false will result in true).
          Hide
          kenorb kenorb added a comment -

          Thank you.

          Show
          kenorb kenorb added a comment - Thank you.
          Hide
          tbingaman Timothy Bingaman added a comment -

          Hi mindless,

          This fix appears to have broken the Nested View plugin, but judging by your subsequent commit comment it appears that you're aware of that. Any idea when a compatible version of the Nested View plugin will be released?

          Show
          tbingaman Timothy Bingaman added a comment - Hi mindless, This fix appears to have broken the Nested View plugin, but judging by your subsequent commit comment it appears that you're aware of that. Any idea when a compatible version of the Nested View plugin will be released?
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : mindless
          Path:
          trunk/hudson/plugins/nested-view/pom.xml
          trunk/hudson/plugins/nested-view/src/main/java/hudson/plugins/nested_view/NestedView.java
          http://jenkins-ci.org/commit/32784
          Log:
          [nested-view] JENKINS-6832 implement canDelete for compatibility with Hudson 1.366+

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : mindless Path: trunk/hudson/plugins/nested-view/pom.xml trunk/hudson/plugins/nested-view/src/main/java/hudson/plugins/nested_view/NestedView.java http://jenkins-ci.org/commit/32784 Log: [nested-view] JENKINS-6832 implement canDelete for compatibility with Hudson 1.366+

            People

            Assignee:
            mindless Alan Harder
            Reporter:
            kenorb kenorb
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: