-
Improvement
-
Resolution: Unresolved
-
Major
-
None
We have tested the latest changes for this plugin in our test environment (PR: Security fixes by mPokornyETM - Pull Request #180 - jenkinsci/job-restrictions-plugin) and would like to provide some feedback on it:
Before updating the plugin to the latest version:
We could see that a regular user with no overall administrator rights that just has Configure permissions on the test node is able to configure job restrictions at Node level.
After updating the plugin to the latest version:
The same test user is now not able to configure job restrictions at node level, as it gets an access denied error => the user impact could be significant
As for the permissions check added:
Jenkins.get().checkPermission(Jenkins.ADMINISTER); -> This verifies if the user has overall administrator permissions in Jenkins. However, for using this plugin, we should ensure that the user has administrator rights to the specific node.