Index: src/main/java/hudson/WebAppMain.java =================================================================== --- src/main/java/hudson/WebAppMain.java (revision 13567) +++ src/main/java/hudson/WebAppMain.java (working copy) @@ -4,6 +4,7 @@ import com.thoughtworks.xstream.core.JVM; import hudson.model.Hudson; import hudson.model.User; +import hudson.security.ACL; import hudson.triggers.SafeTimerTask; import hudson.triggers.Trigger; import hudson.util.HudsonIsLoading; @@ -18,6 +19,7 @@ import org.jvnet.localizer.LocaleProvider; import org.kohsuke.stapler.Stapler; import org.kohsuke.stapler.StaplerRequest; +import org.acegisecurity.context.SecurityContextHolder; import org.apache.tools.ant.types.FileSet; import javax.naming.Context; @@ -165,7 +167,10 @@ // can be served quickly Trigger.timer.schedule(new SafeTimerTask() { public void doRun() { + //this thread is initializing hudson. it should have full permission + SecurityContextHolder.getContext().setAuthentication(ACL.SYSTEM); User.getUnknown().getBuilds(); + SecurityContextHolder.clearContext(); } }, 1000*10); } catch (Error e) { Index: src/main/java/hudson/model/AbstractProject.java =================================================================== --- src/main/java/hudson/model/AbstractProject.java (revision 13690) +++ src/main/java/hudson/model/AbstractProject.java (working copy) @@ -929,7 +929,7 @@ * Schedules a new build command. */ public void doBuild( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException { - BuildAuthorizationToken.checkPermission(this, authToken, req, rsp); + checkPermission(BUILD); // if a build is parameterized, let that take over ParametersDefinitionProperty pp = getProperty(ParametersDefinitionProperty.class); @@ -960,7 +960,7 @@ * Schedules a new SCM polling command. */ public void doPolling( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException { - BuildAuthorizationToken.checkPermission(this, authToken, req, rsp); + checkPermission(BUILD); schedulePolling(); rsp.forwardToPreviousPage(req); } Index: src/main/java/hudson/model/Hudson.java =================================================================== --- src/main/java/hudson/model/Hudson.java (revision 13567) +++ src/main/java/hudson/model/Hudson.java (working copy) @@ -331,6 +331,9 @@ public Hudson(File root, ServletContext context) throws IOException { + //as hudson is starting, grant this process full controll + SecurityContextHolder.getContext().setAuthentication(ACL.SYSTEM); + this.root = root; this.servletContext = context; if(theInstance!=null) @@ -738,7 +741,19 @@ * @see #getAllItems(Class) */ public List<TopLevelItem> getItems() { - return new ArrayList<TopLevelItem>(items.values()); + List<TopLevelItem> viewableItems = new ArrayList<TopLevelItem>(); + for (TopLevelItem item : items.values()) { + if (item instanceof AccessControlled) { + if (((AccessControlled)item).hasPermission(Item.READ)) { + viewableItems.add(item); + } + } + else { + viewableItems.add(item); + } + } + + return viewableItems; } /** @@ -1231,7 +1246,13 @@ */ @Override public TopLevelItem getItem(String name) { - return items.get(name); + TopLevelItem item = items.get(name); + if (item instanceof AccessControlled) { + if (!((AccessControlled) item).hasPermission(Item.READ)) { + return null; + } + } + return item; } public File getRootDirFor(TopLevelItem child) { Index: src/main/java/hudson/model/Item.java =================================================================== --- src/main/java/hudson/model/Item.java (revision 13659) +++ src/main/java/hudson/model/Item.java (working copy) @@ -167,4 +167,6 @@ public static final Permission CREATE = new Permission(PERMISSIONS,"Create", Permission.CREATE); public static final Permission DELETE = new Permission(PERMISSIONS,"Delete", Permission.DELETE); public static final Permission CONFIGURE = new Permission(PERMISSIONS,"Configure", Permission.CONFIGURE); + public static final Permission READ = new Permission(PERMISSIONS,"Read", Permission.READ); + } Index: src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java =================================================================== --- src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java (revision 13659) +++ src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java (working copy) @@ -72,11 +72,6 @@ return sids; } - private Object readResolve() { - acl = new AclImpl(); - return this; - } - /** * Checks if the given SID has the given permission. */ Index: src/main/java/hudson/triggers/Trigger.java =================================================================== --- src/main/java/hudson/triggers/Trigger.java (revision 13567) +++ src/main/java/hudson/triggers/Trigger.java (working copy) @@ -17,6 +17,7 @@ import hudson.model.WorkspaceCleanupThread; import hudson.scheduler.CronTab; import hudson.scheduler.CronTabList; +import hudson.security.ACL; import hudson.util.DoubleLaunchChecker; import java.io.InvalidObjectException; @@ -31,6 +32,8 @@ import java.util.logging.Level; import java.util.logging.Logger; +import org.acegisecurity.context.SecurityContextHolder; + /** * Triggers a {@link Build}. * @@ -136,6 +139,9 @@ private final Calendar cal = new GregorianCalendar(); public void doRun() { + //this is background system work. it should have full permission + SecurityContextHolder.getContext().setAuthentication(ACL.SYSTEM); + while(new Date().getTime()-cal.getTimeInMillis()>1000) { LOGGER.fine("cron checking "+cal.getTime().toLocaleString()); @@ -149,6 +155,7 @@ cal.add(Calendar.MINUTE,1); } + SecurityContextHolder.clearContext(); } } Index: src/main/resources/lib/hudson/executors.jelly =================================================================== --- src/main/resources/lib/hudson/executors.jelly (revision 13369) +++ src/main/resources/lib/hudson/executors.jelly (working copy) @@ -56,8 +56,17 @@ </j:when> <j:otherwise> <td class="pane" width="70%"> - <div nowrap="true">${%Building} <a href="${rootURL}/${e.currentExecutable.url}">${e.currentExecutable}</a></div> - <t:buildProgressBar build="${e.currentExecutable}"/> + <div nowrap="true">${%Building} + <j:choose> + <j:when test="${h.hasPermission(e.currentExecutable.parent,e.currentExecutable.parent.READ)}"> + <a href="${rootURL}/${e.currentExecutable.url}">${e.currentExecutable}</a> + <t:buildProgressBar build="${e.currentExecutable}"/> + </j:when> + <j:otherwise> + <span>${%Unkown Task}</span> + </j:otherwise> + </j:choose> + </div> </td> <td class="pane" width="16" align="center" valign="middle"> <j:if test="${e.hasStopPermission()}"> Index: src/main/resources/lib/hudson/queue.jelly =================================================================== --- src/main/resources/lib/hudson/queue.jelly (revision 13369) +++ src/main/resources/lib/hudson/queue.jelly (working copy) @@ -32,10 +32,17 @@ <tr> <td class="pane" width="100%" tooltip="${item.why}"> <j:set var="stuck" value="${item.isStuck()}" /> + <j:choose> + <j:when test="${h.hasPermission(item.task,item.task.READ)}"> <a href="${rootURL}/${item.task.url}" style="${h.ifThenElse(stuck,'color:#ef2929',null)}"> ${item.task.fullDisplayName} <j:if test="${stuck}"> (${%appears to be stuck})</j:if> </a> + </j:when> + <j:otherwise> + <span>${%Uknown Task}</span> + </j:otherwise> + </j:choose> </td> <td class="pane" width="16" align="center" valign="middle"> <j:if test="${item.hasCancelPermission()}"> Index: src/main/resources/lib/hudson/project/upstream-downstream.jelly =================================================================== --- src/main/resources/lib/hudson/project/upstream-downstream.jelly (revision 13369) +++ src/main/resources/lib/hudson/project/upstream-downstream.jelly (working copy) @@ -22,10 +22,12 @@ <h2>${%Upstream Projects}</h2> <ul style="list-style-type: none;"> <j:forEach var="item" items="${upstream}"> + <j:if test="${h.hasPermission(item,item.READ)}"> <li> <local:showItem /> <local:relationship lhs="${item}" rhs="${it}"/> </li> + </j:if> </j:forEach> </ul> </j:if> @@ -34,11 +36,15 @@ <h2>${%Downstream Projects}</h2> <ul style="list-style-type: none;"> <j:forEach var="item" items="${downstream}"> + <j:if test="${h.hasPermission(item,item.READ)}"> <li> <local:showItem /> <local:relationship lhs="${it}" rhs="${item}"/> </li> + </j:if> </j:forEach> </ul> </j:if> + + </j:jelly> \ No newline at end of file