Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-6832

When users without any permissions trying to Delete the view, there is fatal error

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • _unsorted
    • None
    • Debian 5.0 (lenny), Hudson ver. 1.358 with LDAP

    Description

      1. First of all going to /me/my-views/view/All/ user see all menu items which shouldn't see, like: New Job, Manage Hudson, People, Build History, Delete View, My Views
      2. Then clicking on 'Delete View'
      3. Choose Yes on question: 'Are you sure about deleting the view?'

      Then you will see following error:

      Status Code: 500
      Backtrace:
      Exception:
      Stacktrace:
      java.lang.IllegalStateException
      at hudson.model.MyViewsProperty.deleteView(MyViewsProperty.java:118)
      at hudson.model.View.doDoDelete(View.java:593)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)

      Attachments

        Activity

          mindless Alan Harder added a comment - - edited

          root cause for extra links:
          sidepanel.jelly is checking permissions for which links to show.. "it" here a view whose getOwner() is a MyViewsProperty and getACL is based on the User object.. A user has full permission of its own object, so the view page incorrectly shows every possible link.

          root cause for delete failure:
          need to hide the "delete view" link when "my-views" has only ONE view (can't delete the last one).

          mindless Alan Harder added a comment - - edited root cause for extra links: sidepanel.jelly is checking permissions for which links to show.. "it" here a view whose getOwner() is a MyViewsProperty and getACL is based on the User object.. A user has full permission of its own object, so the view page incorrectly shows every possible link. root cause for delete failure: need to hide the "delete view" link when "my-views" has only ONE view (can't delete the last one).
          kenorb kenorb added a comment -

          It's something that can be fixed, or I should provide more details?

          kenorb kenorb added a comment - It's something that can be fixed, or I should provide more details?
          mindless Alan Harder added a comment -

          We have all the info, thanks. I was just making some notes in case someone wants to fix this before I get around to it..

          mindless Alan Harder added a comment - We have all the info, thanks. I was just making some notes in case someone wants to fix this before I get around to it..

          Code changed in hudson
          User: : mindless
          Path:
          trunk/hudson/main/core/src/main/java/hudson/model/Hudson.java
          trunk/hudson/main/core/src/main/java/hudson/model/MyViewsProperty.java
          trunk/hudson/main/core/src/main/java/hudson/model/TreeView.java
          trunk/hudson/main/core/src/main/java/hudson/model/ViewGroup.java
          trunk/hudson/main/core/src/main/resources/hudson/model/Messages.properties
          trunk/hudson/main/core/src/main/resources/hudson/model/View/sidepanel.jelly
          trunk/www/changelog.html
          http://jenkins-ci.org/commit/32319
          Log:
          [FIXED JENKINS-6832] Hide some sidepanel links that should not be shown in
          user-private views. Use it="${app}" for Manage Hudson and New Job links,
          so these check the proper permission. Replaced !it.isDefault() check
          with new ViewGroup.canDelete API call.. Hudson ViewGroup uses isDefault()
          for this method; MyViewsProperty checks views.size() > 1 so link is
          hidden when there is only one user-private view.
          Used !=false in jelly for backward compatibility (if a plugin implements
          ViewGroup but does not have canDelete, null!=false will result in true).

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : mindless Path: trunk/hudson/main/core/src/main/java/hudson/model/Hudson.java trunk/hudson/main/core/src/main/java/hudson/model/MyViewsProperty.java trunk/hudson/main/core/src/main/java/hudson/model/TreeView.java trunk/hudson/main/core/src/main/java/hudson/model/ViewGroup.java trunk/hudson/main/core/src/main/resources/hudson/model/Messages.properties trunk/hudson/main/core/src/main/resources/hudson/model/View/sidepanel.jelly trunk/www/changelog.html http://jenkins-ci.org/commit/32319 Log: [FIXED JENKINS-6832] Hide some sidepanel links that should not be shown in user-private views. Use it="${app}" for Manage Hudson and New Job links, so these check the proper permission. Replaced !it.isDefault() check with new ViewGroup.canDelete API call.. Hudson ViewGroup uses isDefault() for this method; MyViewsProperty checks views.size() > 1 so link is hidden when there is only one user-private view. Used !=false in jelly for backward compatibility (if a plugin implements ViewGroup but does not have canDelete, null!=false will result in true).
          kenorb kenorb added a comment -

          Thank you.

          kenorb kenorb added a comment - Thank you.

          Hi mindless,

          This fix appears to have broken the Nested View plugin, but judging by your subsequent commit comment it appears that you're aware of that. Any idea when a compatible version of the Nested View plugin will be released?

          tbingaman Timothy Bingaman added a comment - Hi mindless, This fix appears to have broken the Nested View plugin, but judging by your subsequent commit comment it appears that you're aware of that. Any idea when a compatible version of the Nested View plugin will be released?

          Code changed in hudson
          User: : mindless
          Path:
          trunk/hudson/plugins/nested-view/pom.xml
          trunk/hudson/plugins/nested-view/src/main/java/hudson/plugins/nested_view/NestedView.java
          http://jenkins-ci.org/commit/32784
          Log:
          [nested-view] JENKINS-6832 implement canDelete for compatibility with Hudson 1.366+

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : mindless Path: trunk/hudson/plugins/nested-view/pom.xml trunk/hudson/plugins/nested-view/src/main/java/hudson/plugins/nested_view/NestedView.java http://jenkins-ci.org/commit/32784 Log: [nested-view] JENKINS-6832 implement canDelete for compatibility with Hudson 1.366+

          People

            mindless Alan Harder
            kenorb kenorb
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: