branch-api only controls permission of the multi-branch project itself if it's in an OrganizationFolder. There is no mechanism to always restrict configuration permission of the children (branch jobs). It requires an override of hudson.model.Job#getACL() as you've done for Pipeline (https://github.com/jenkinsci/workflow-job-plugin/blob/workflow-job-2.3/src/main/java/org/jenkinsci/plugins/workflow/job/WorkflowJob.java#L350 and https://github.com/jenkinsci/workflow-multibranch-plugin/blob/workflow-multibranch-2.8/src/main/java/org/jenkinsci/plugins/workflow/multibranch/BranchJobProperty.java#L61). This is not possible to do in multi-branch-project-plugin because I make direct use of the existing FreeStyleProject, MavenModuleSet, IvyModuleSet, and MatrixProject types. Extending these types to override things such as the ACL was an attempted and failed approach (easily do-able for FreeStyleProjects but I remember having some headaches with MavenModuleSet), but admittedly the multi-branch types for each of these should be in their respective plugins or entirely separate.
Anyway, without the override, hudson.model.Job#getACL() delegates to the authorization strategy, not the parent's ACL. Project-based matrix auth will attempt to inherit from the parent ACL though. In turn, this makes the branch jobs open to everyone unless the matrix auth property is set to strip the config and delete permissions by using the "disallow inheritance" (or whatever it's called) setting on matrix auth property. On Wednesday, July 6, 2016 at 3:53:36 PM UTC-7, Jesse Glick wrote: > > On Fri, Jul 1, 2016 at 10:22 PM, Matthew DeTullio <[email protected] > <javascript:>> wrote: > > I think the only way to prevent direct configuration involves using > > project-based matrix authorization as your security strategy. > > `branch-api` does this automatically, FWIW. > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/2770307f-823f-410a-9ea7-f39eea55cf06%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
