[JIRA] (JENKINS-62054) Support action is displayed even if the user does not have the rights

7 views
Skip to first unread message

pibeitz@gmail.com (JIRA)

unread,
Apr 25, 2020, 2:35:02 PM4/25/20
to jenkinsc...@googlegroups.com
Pierre Beitz started work on Bug JENKINS-62054
 
Change By: Pierre Beitz
Status: Open In Progress
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
Atlassian logo

pibeitz@gmail.com (JIRA)

unread,
Apr 25, 2020, 2:35:03 PM4/25/20
to jenkinsc...@googlegroups.com
Pierre Beitz created an issue
 
Jenkins / Bug JENKINS-62054
Support action is displayed even if the user does not have the rights
Issue Type: Bug Bug
Assignee: Pierre Beitz
Components: support-core-plugin
Created: 2020-04-25 18:34
Environment: Any version of the plugin
Any core version
Priority: Major Major
Reporter: Pierre Beitz

Browse a Jenkins instance without admin rights (noticed with anonymous on the community Jenkins), and observe that you can see the Support link on the left of a Job. You can click on it and see the bundle generation screen.

This is only a display issue, you cannot do more as the rest is protected. The screen itself doesn't show information you are not allowed to see.

Same is also visible for the Computers.

pibeitz@gmail.com (JIRA)

unread,
Apr 25, 2020, 2:37:02 PM4/25/20
to jenkinsc...@googlegroups.com
Change By: Pierre Beitz
Status: In Progress Review

aheritier@apache.org (JIRA)

unread,
Apr 26, 2020, 7:40:03 AM4/26/20
to jenkinsc...@googlegroups.com
Arnaud Héritier commented on Bug JENKINS-62054
 
Re: Support action is displayed even if the user does not have the rights

Pierre Beitz Could it be with some specific settings and/or a specific security scheme ?

It's surprising (I didn't test) because the actions are supposed to to require the permission SupportPlugin.CREATE_BUNDLE

https://github.com/jenkinsci/support-core-plugin/blob/master/src/main/resources/com/cloudbees/jenkins/support/actions/SupportAbstractItemAction/action.jelly#L5

https://github.com/jenkinsci/support-core-plugin/blob/master/src/main/resources/com/cloudbees/jenkins/support/actions/SupportComputerAction/action.jelly#L5

https://github.com/jenkinsci/support-core-plugin/blob/master/src/main/resources/com/cloudbees/jenkins/support/actions/SupportRunAction/action.jelly#L5

Also on our products when I don't have an admin permission I do not see them (but we are probably not using the lastest version of support-core). cc Allan BURDAJEWICZ

 

pibeitz@gmail.com (JIRA)

unread,
Apr 26, 2020, 11:39:02 AM4/26/20
to jenkinsc...@googlegroups.com

Arnaud Héritier here is the link where I detected this: https://ci.jenkins.io/job/Plugins/job/shelve-project-plugin/job/master/29/support/

I must admit I don't know how the management of permissions for an action in Jelly works. I have the same pattern in the shelve project plugin and I drive this with the java code (like I did in the PR for this task).

aheritier@apache.org (JIRA)

unread,
Apr 26, 2020, 11:53:02 AM4/26/20
to jenkinsc...@googlegroups.com

Obviously there is a problem Pierre Beitz

It's a not a security issue from my POV (Daniel Beck) because you cannot generate anything but I agree with you that we should fix it.

Not sure about the fix you propose and why the permissions set in actions by Allan BURDAJEWICZ don't not work.
Reply all
Reply to author
Forward
0 new messages