>From the Jira bug report it looks like that a user can edit a view even if he >has no permission defined for a VIEW, is this intended?
> Am 21.03.2021 um 23:36 schrieb Ullrich Hafner <[email protected]>: > > I am trying to secure a POST method that is invoked during configuration of a > view column. > > I started with a permission check for View.CONFIGURE but this was too > restrictive and does not work with role based authorization strategy. > > When I add an ItemGroup object as @AncestorInPath then I don’t find a > corresponding ACL method in Jenkins. > > So my planned code looks like: > > @POST > public ListBoxModel doFillTypeItems(@AncestorInPath final ItemGroup<?> item) { > if (item == null) { > if (Jenkins.get().hasPermission(View.CONFIGURE)) { > return createTypesModel(); > } > } > if > (Jenkins.get().getAuthorizationStrategy().getACL(item).hasPermission(View.CONFIGURE)) > { > return createTypesModel(); > } > return new ListBoxModel(); > } > But there is no getAcl method for item groups. What is the correct way to > authenticate here? > > What I also tried is to use a View. This code compiles but I do not get the > view as AncestorInPath. > > @POST > public ListBoxModel doFillTypeItems(@AncestorInPath final View view) {…} > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/0F4F4312-B2E2-428C-B873-A6CE741D4668%40gmail.com.
