[JIRA] (JENKINS-12080) job configuration corrupted when user isn't admin

Wed, 08 Feb 2012 22:33:35 -0800 

    [ 
https://issues.jenkins-ci.org/browse/JENKINS-12080?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=158801#comment-158801
 ] 

dogfood commented on JENKINS-12080:
-----------------------------------

Integrated in !http://ci.jenkins-ci.org/images/16x16/blue.png! [plugins_groovy 
#57|http://ci.jenkins-ci.org/job/plugins_groovy/57/]
     [FIXED JENKINS-12080] use a hidden, encrypted field to store configured 
script when user isn't admin (Revision d40a525294b920e11ba388060b58111c19f5c337)

     Result = SUCCESS
Nicolas De Loof : 
Files : 
* src/main/java/hudson/plugins/groovy/SystemGroovy.java
* src/main/resources/hudson/plugins/groovy/SystemGroovy/config.jelly
* src/main/webapp/systemscript-projectconfig.html

                
> job configuration corrupted when user isn't admin
> -------------------------------------------------
>
>                 Key: JENKINS-12080
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-12080
>             Project: Jenkins
>          Issue Type: Bug
>          Components: groovy
>            Reporter: Nicolas De Loof
>            Assignee: vjuranek
>
> Let's consider : 
> - a user with job configuration rights and no overall admin right 
> - a job containing a system groovy build step
> If the user edits the configuration, makes a change (even without altering 
> the system groovy part) and then saves the configuration, an error message is 
> displayed :
> Access Denied
> <username> is missing the Administer permission
> On Job save, Groovy plugin checks for admin permission to save the system 
> groovy script. It may then fail. This should have been checked before 
> rendering UI. The side effect is that the job config is partially saved 
> (without user to know it) and may be corrupted (exception occurs on 
> Project.submit() from builders.rebuildHetero, so job has been partially 
> configured and not saved.
> The job configuration page, when including a system groovy script, should not 
> be editable when user don't have ADMIN permission - Not sure about the 
> cleaner way to implement the ADMIN only configuration
> OR the script should be set read-only for non ADMIN and then only displayed 
> for information, but retrieved from another source than the standard incoming 
> JSON request.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to