On Thu, Apr 3, 2014 at 1:59 PM, Jesse Glick <[email protected]> wrote: >> let edge abstract away the access control check? > > already possible I think, since each DependencyDeclarer constructs its own > Dependency.
Thinking about this more and it does not really make sense. Moving the current permission checks from BuildTrigger.execute into BuildTrigger.buildDependencyGraph's Dependency.shouldTriggerBuild would be easy enough. (The check for AbstractProject.isDisabled would have to be moved after the call to shouldTriggerBuild, to avoid leaking information about invisible but disabled projects; and the replacement of SYSTEM with ANONYMOUS and accompanying warnings would have to stay where they are.) But what about the other direction? As you wrote, > #2 would have to check if the principal that will run build B can see job A. But this information—the principal that will run build B—is not available. Within shouldTriggerBuild, Jenkins.getAuthentication() will of course return the principal currently running a build of A. But QueueItemAuthenticator only reports what the authentication should be for a Queue.Item, not a .Task, and at this point there _is_ no .Item yet because we have not decided if there should be one. So this just seems like a missing API in QIA: Authentication authenticate(Queue.Task task). In fact the only known (non-test) implementation, ProjectQueueItemAuthenticator, does nothing with the Item it is handed except look up its Task field. (And the implicit fallback implementation, as written in Queue.Item.authenticate(), does the same.) So to solve this the way you suggest, QIA needs to be enriched, and authorize-project-plugin has to implement the new API. (Probably it could do so without a dep on the new Jenkins version, by just omitting @Override in sources.) QIA.authenticate(Task) would be useful for other reasons anyway. For example, currently BuildTrigger.DescriptorImpl.doCheck is unable to verify that a proposed downstream project is actually acceptable, because it has no way of knowing what authentication _would_ be used during a build of upstream. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
