[JIRA] (JENKINS-56607) Broken Jelly permission check creates MANAGE_DOMAINS user

[dbeck@cloudbees.com (JIRA)]

Daniel Beck created an issue

Jenkins / JENKINS-56607 Broken Jelly permission check creates MANAGE_DOMAINS user Issue Type: Bug Assignee: Daniel Beck Components: credentials-plugin Created: 2019-03-18 22:46 Priority: Minor Reporter: Daniel Beck https://github.com/jenkinsci/credentials-plugin/blob/11873056e05470405fa004adbd2967d96eeafa12/src/main/resources/com/cloudbees/plugins/credentials/ViewCredentialsAction/action.jelly#L39 it is a User, and this ends up calling static User#get(String) This does not impact security, but the check will succeed, and the "Add domain" link will be shown to users without the necessary permission. Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[dbeck@cloudbees.com (JIRA)]

Daniel Beck updated JENKINS-56607

Jenkins / JENKINS-56607 Broken Jelly permission check creates MANAGE_DOMAINS user

Change By: Daniel Beck Status: In Progress Review

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck started work on JENKINS-56607

Change By: Daniel Beck Status: Open In Progress

Add Comment

[boards@gmail.com (JIRA)]

Matt Sicker updated JENKINS-56607

Merged to master.

Jenkins / JENKINS-56607 Broken Jelly permission check creates MANAGE_DOMAINS user

Change By: Matt Sicker Status: In Review Fixed but Unreleased Resolution: Fixed

Add Comment

[boards@gmail.com (JIRA)]

Matt Sicker updated JENKINS-56607

Released in credentials-2.2.1.

Jenkins / JENKINS-56607 Broken Jelly permission check creates MANAGE_DOMAINS user

Change By: Matt Sicker Status: Fixed but Unreleased Resolved Released As: credentials-2.2.1

Add Comment