Problem

Having a pipeline configured and the Matrix-Auth-Plugin in place, Users are able to 'Replay' a build.
If a user is missing the 'Run/Build -> Replay' permission, the button text turns to 'Rebuild'.

If the user with the limited permissions now hits the 'Rebuild'-button, he / she gets redirected to the /replay-page of the build.
Though he / she is not able to manipulate the content of the Shared Library (which is good), it is though possible a build is triggered with a quite inconsistant Shared library status: under the hood, indeed a 'Replay' is performed.

This comes from the fact that not the complete content of the Shared Library is shown for manipulation on the Replay page.
Contents from 'vars' and 'src' are offered for manipulation while contents from the 'resources' folder is always taken from the latest version.

Being a developer using the 'Replay', I consider this just being a limitation somehow.
Being a user without the knowledge what a 'Replay' which is called 'Rebuild' does, this behaviour is not really explainable nor predictable at all.

I guess the intention is that if a user is missing the 'Replay'-permission, he / she at least gets the possibility to re-trigger an already created build.
The comfort is then in not needing to re-enter the values for parameters, as 'Replay' simply takes the parameters over from the target build it was triggered for.
But, that in combination with

• JENKINS-76292 - Non-admin users see "Rebuild" button twice when Rebuilder plugin is installed
• the fact that build logic can be even harmful (see example below)

I tend to consider this behaviour being a bug, possibly security relevant.

Suggestion

I would propose to simply not show the 'Replay'-button at all in the sidebar if the user is missing the permission for it.
Not even rename it to 'Rebuild'.
Benefits:

• WYSIWYG: if the user has the permission for 'Replay', the button appears; if the permission is not granted -> no button for it
• Consistant Shared Lib usage
• JENKINS-76292 would be solved automatically; if people need the functionality of 'I want to trigger a new build of my job without providing all the parameters again because I did already in build number #X', the 'Rebuilder' plugin can be used easily

Additional infos

Scenario / Example:

• Have a user 'Fred' with missing permissions of 'Run/Build -> Replay'
• Have a build #1, using version A of a Shared Library
  • Version A of Shared Library is providing a method 'uploadArtifacts' somewhere under 'vars', which is collecting artifacts from the build and uploads it to an external Artifactory
  • The endpoint definition of the external Artifactory is defined in the Shared Library under 'resources/endpoints.json'
• Build #1 uploads artifacts to the endpoint defined in 'resources/endpoints.json'
• The company switched the provider of the external Artifactory, a new version B of the Shared Library was created
  • 'resources/endpoints.json' was adapted to point to the new endpoint
  • 'vars/uploadUtil#uploadArtifacts' was extended with a filter mechanism so that some artifacts are skipped during upload
• Now Fred hits 'Rebuild' (which is, as said, 'Replay' without the possibility to modify the Shared-Lib contents) on Build #1

What is now happening is that:

• Upload to new endpoint as defined in 'resources/endpoints.json' (because this is taken from the latest Shared lib version available) -> Shared Lib version B
• 'vars/uploadUtil#uploadArtifacts' is still the same logic as in build #1, missing the filter mechanism -> Shared Lib version A

This example shows that it is quite easy to use a totally inconsistant, hard to debug Shared Library version.
I consider this being a bug as the behaviour can be unpredictable and it should not be possible to mix up 'CICD logic' as a user that easy.

Besides we observed this on multiple of our self-hosted instances, it can be reproduced with an up-to-date fresh Docker-Jenkins installation.

Environment

• jenkins/jenkins:lts-jdk21 - which gave me Jenkins Version 2.541.2 at the time of writing (Feb. 2026)
• Matrix Authorization Strategy Plugin Version 3.2.9

Reproduction

• Start a new container of the Jenkins image
• Follow the setup, do not install any suggested plugins
• After finishing the installation, install the 'Matrix Authorization Strategy' plugin
• Your account will stay administrator
• Set up a very basic Shared Library with
  • resources/endpoints.txt , with the content

    Singing in the rain.
    

• • vars/dumpUtil.groovy with the content

    void dumpSomething() {
      println '### Mambo No 7'
    }
    

• • the Shared library will be accessible under the name 'dancefloor'
• Have a very simple pipeline which is using both the resources

  @Library('dancefloor') _
  
  pipeline {
    agent any
    parameters {
      choice(
        name: 'parChoice',
        choices: ['a', 'b', 'c'],
        description: '''Your choice
        ''',
      )
    } // parameters
    stages {
      stage('Test') {
        steps {
          script {
            println "* ${STAGE_NAME} - Begin"
  
            println "** Var dump"
            println "*** parChoice: [${parChoice}]"
  
            final String txtContent = libraryResource 'endpoints.txt'
            println "*** Shared Lib entry: [${txtContent}]"
  
            dumpUtil.dumpSomething()
  
            println "* ${STAGE_NAME} - End"
          } // script
        } // steps
      } // stage
    } // stages
  } // pipeline
  

• Create a new account for Dummy-User 'Fred'
• In a new private window of your browser, log in as 'Fred' and continue
• Trigger a new build of the job. The console log will show you:
  • the chosen parameter
  • content of resources/endpoints.txt
  • content dumped by vars/dumpUtil.groovy

*** parChoice: [b]
*** Shared Lib entry: [Singing in the rain.
]
### Mambo No 7

• Now provide a new version of the Shared Library, where both files are edited
  • resources/endpoints.txt , with the content

    Singing in the sun.
    

• • vars/dumpUtil.groovy with the content

    void dumpSomething() {
      println '### Mambo No 5'
    }
    

• Now as Fred, hit the 'Rebuild-which-is-pointing-to-Replay'-Button -> 'Run'
• In the console log, you will find

  *** parChoice: [b]
  *** Shared Lib entry: [Singing in the sun.
  ]
  ### Mambo No 7