[JIRA] (JENKINS-61235) User/people disclosure

8 views
Skip to first unread message

cz@flyingcircus.io (JIRA)

unread,
Feb 26, 2020, 8:23:03 AM2/26/20
to jenkinsc...@googlegroups.com
Christian Zagrodnick created an issue
 
Jenkins / Bug JENKINS-61235
User/people disclosure
Issue Type: Bug Bug
Assignee: Daniel Beck
Components: matrix-auth-plugin
Created: 2020-02-26 13:22
Priority: Minor Minor
Reporter: Christian Zagrodnick

With project/matrix based security, a user requires Overall/Read to do anything in the web UI. That is, even with permissions on a folder they cannot see anything and get the infamous “user is missing the Overall/Read permission”. But with the Overall/Read permission they can see all the other users (via e.g. /asynchPeople/). So there doesn’t seem to be a way to limit access to the user information – which, depending on context, is a data protection issue.

(tested on Jenkins 2.220)
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

dbeck@cloudbees.com (JIRA)

unread,
Feb 26, 2020, 10:30:04 AM2/26/20
to jenkinsc...@googlegroups.com
Daniel Beck closed an issue as Not A Defect
 

Has nothing to do with this plugin, it cannot offer options that don't exist.

(And is a duplicate of an existing issue in the general case, no time to look right now.)
Change By: Daniel Beck
Status: Open Closed
Resolution: Not A Defect

cz@flyingcircus.io (JIRA)

unread,
Feb 26, 2020, 10:38:04 AM2/26/20
to jenkinsc...@googlegroups.com
Christian Zagrodnick commented on Bug JENKINS-61235
 
Re: User/people disclosure

Right, that's JENKINS-18884. Didn't find that before.

Reply all
Reply to author
Forward
0 new messages