Permission check during view configuration (getACL)

13 views
Skip to first unread message

Ullrich Hafner

unread,
Mar 21, 2021, 6:36:16 PM3/21/21
to Jenkins Developers
I am trying to secure a POST method that is invoked during configuration of a view column. 

I started with a permission check for View.CONFIGURE but this was too restrictive and does not work with role based authorization strategy.

When I add an ItemGroup object as  @AncestorInPath then I don’t find a corresponding ACL method in Jenkins.   

So my planned code looks like:

@POST
public ListBoxModel doFillTypeItems(@AncestorInPath final ItemGroup<?> item) {
    if (item == null) {
        if (Jenkins.get().hasPermission(View.CONFIGURE)) {
            return createTypesModel();
        }
    }
    if (Jenkins.get().getAuthorizationStrategy().getACL(item).hasPermission(View.CONFIGURE)) {
        return createTypesModel();
    }
    return new ListBoxModel();
}
But there is no getAcl method for item groups. What is the correct way to authenticate here?

What I also tried is to use a View. This code compiles but I do not get the view as AncestorInPath.

@POST
public ListBoxModel doFillTypeItems(@AncestorInPath final View view) {…}

Ullrich Hafner

unread,
Mar 22, 2021, 6:50:05 AM3/22/21
to Jenkins Developers
From the Jira bug report it looks like that a user can edit a view even if he has no permission defined for a VIEW, is this intended?  

Jesse Glick

unread,
Mar 22, 2021, 8:54:01 AM3/22/21
to Jenkins Dev
On Sun, Mar 21, 2021 at 6:36 PM Ullrich Hafner <ullrich...@gmail.com> wrote:
there is no getAcl method for item groups

Normally an `ItemGroup` will in fact be `instanceof AccessControlled` (via `Jenkins` or `AbstractFolder`).

(I cannot say I understand the intent of `View` permissions so I am not attempting to answer your question broadly. )

Ullrich Hafner

unread,
Mar 22, 2021, 11:10:59 AM3/22/21
to Jenkins Developers
I see, then I just need to cast the view group accordingly. That works, thanks!



--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr02%3Dq8FKH4j0tkknRHOvrpDD%3DaKnzB1nnBZvRhynK_hug%40mail.gmail.com.

Reply all
Reply to author
Forward
0 new messages