Hello, all. I'm working on the puppet-enterprise-pipeline plugin trying to use the permission system to specify who can perform a certain action through the API. I'm guessing I'm missing something about the way the Jenkins permission system works.
I've specified a permission called Hiera/Lookup[1]. When I try to test the current authenticated user, the `hasPermission()`[2] method always returns true if the user has the Overall/Read permission. I do have the Lookup permission be implied by the Jenkins.READ permission, but I get the same result if I set the `impledBy` parameter in the Permission constructor to null.
I'm after the use cases below (sorry for the Gherkin user stories, but they're great for describing specific behaviors). There is one test I cannot get to pass due to my misunderstanding how to use the system[3]. Any help is greatly appreciated.
When there is a call to /hiera/lookup
And it is unauthenticated
And the "anonymous" user has Hiera/Lookup permission
Then the call is authorized
When there is a call to /hiera/lookup
And it is authenticated
And the user has Overall/Read permission
And the user does not have Hiera/Lookup permission
Then the call is unauthorized
When there is a call to /hiera/lookup
And the "Logged-in users can do anything" authorization system is being used
And the call is unauthenticated
Then the call is authorized
When there is a call to /hiera/lookup
And a non-Matrix authorization system is being used where unauthenticated users have read access
And the call is unauthenticated
Then the call is authorized
When there is a call to /hiera/lookup
And a non-Matrix authorization system is being used where unauthenticated users do not have read access
And the call is unauthenticated
Then the call is unauthorized