[JIRA] (JENKINS-12080) job configuration corrupted when user isn't admin

Wed, 08 Feb 2012 22:29:38 -0800 

    [ 
https://issues.jenkins-ci.org/browse/JENKINS-12080?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=158800#comment-158800
 ] 

SCM/JIRA link daemon commented on JENKINS-12080:
------------------------------------------------

Code changed in jenkins
User: Nicolas De Loof
Path:
 src/main/java/hudson/plugins/groovy/SystemGroovy.java
 src/main/resources/hudson/plugins/groovy/SystemGroovy/config.jelly
 src/main/webapp/systemscript-projectconfig.html
http://jenkins-ci.org/commit/groovy-plugin/d40a525294b920e11ba388060b58111c19f5c337
Log:
  [FIXED JENKINS-12080] use a hidden, encrypted field to store configured 
script when user isn't admin





                
> job configuration corrupted when user isn't admin
> -------------------------------------------------
>
>                 Key: JENKINS-12080
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-12080
>             Project: Jenkins
>          Issue Type: Bug
>          Components: groovy
>            Reporter: Nicolas De Loof
>            Assignee: vjuranek
>
> Let's consider : 
> - a user with job configuration rights and no overall admin right 
> - a job containing a system groovy build step
> If the user edits the configuration, makes a change (even without altering 
> the system groovy part) and then saves the configuration, an error message is 
> displayed :
> Access Denied
> <username> is missing the Administer permission
> On Job save, Groovy plugin checks for admin permission to save the system 
> groovy script. It may then fail. This should have been checked before 
> rendering UI. The side effect is that the job config is partially saved 
> (without user to know it) and may be corrupted (exception occurs on 
> Project.submit() from builders.rebuildHetero, so job has been partially 
> configured and not saved.
> The job configuration page, when including a system groovy script, should not 
> be editable when user don't have ADMIN permission - Not sure about the 
> cleaner way to implement the ADMIN only configuration
> OR the script should be set read-only for non ADMIN and then only displayed 
> for information, but retrieved from another source than the standard incoming 
> JSON request.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to