Thanks for the reply Jesse, my idea was because branch-api wants to show the number of items in its view if core should provide that feature and that way when core calls getItems() in jelly you can get the size and therefore skip the need for permissions checks. But I'm not sure if its worth the effort.
On Wednesday, 22 January 2020 08:43:30 UTC+8, Jesse Glick wrote: > > On Mon, Jan 20, 2020 at 5:13 AM Raihaan Shouhell > <raihaan...@gmail.com <javascript:>> wrote: > > I'd like to see if the relevant jelly files that call this has access to > items and the use of getItems() (and hasPermission) can be reduced. > > Doubtful since this is just overriding > > https://javadoc.jenkins.io/hudson/model/View.html#getDisplayName-- > > If permission checks are a bottleneck here it might be a problem in > the `AuthorizationStrategy`. Alternately, it would probably be fine to > wrap the `getItems` call inside `ACL.as(ACL.SYSTEM)` since someone > with permission to view the organization folder very likely also has > permission to view all the child repositories (it would be an obscure > authorization strategy that decided otherwise), and at worst the > leaked information would be a count of hidden subfolders. > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/b6feb5ab-51a9-4be3-b8ca-7c20b9997d1f%40googlegroups.com.
