![]() |
|
|
Issue Type:
|
Bug
|
Assignee:
|
Unassigned |
Components:
|
core |
Created:
|
30/Aug/12 3:04 PM
|
Description:
|
Not sure if this is actually a bug or not. AbstractProject.doConfigSubmit modifies the publishersList of an upstream project regardless of your permissions on that project. I would expect that you would need to have CONFIGURE permission on it. Not clear that there is a specific security threat from adding a BuildTrigger to an arbitrary project, but it will at a minimum result in a config.xml change from an unauthorized user, which might raise eyebrows.
BuildTrigger.DescriptorImpl.doCheck also ought to issue an error if you have no CONFIGURE permission. doAutoCompleteUpstreamProjects can probably be left alone - complete everything we can see but show an error if you cannot really touch it.
Also doCheck neglects to check AbstractProject.isConfigurable as doConfigSubmit does.
|
Project:
|
Jenkins
|
Labels:
|
upstream
security
|
Priority:
|
Minor
|
Reporter:
|
jglick
|
|
|
|
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|