We have an issue with the Status page of some projects build in Jenkins (v1.515). Some of my users, which don't have access to all Jenkins projects but a part of them, cannot display correctly some status page, they receive an "Error 330 (net::ERR_CONTENT_DECODING_FAILED)".
After some investiguation, I found that this issue came from the "Changes in dependencies" part of the status page: As soon as an artifact copied into the current build came from another build that user doesn't have acces, the error popup.
How to reproduce:
In "Configure Global Security" page of Jenkins, the "Project-based Matrix Authorization Strategy" is activated and the authorization are given by the image "GlobalSecurity-setting.png" in attachment.
Now imagine 2 projects A and B. The user, called Bob, had access to B but not A (via the project-base security feature in Jenkins). Project B security is given by the image "ProjectB-security.png" in attachment.
A font file (.ttf) is checked out from a build of project A, called A#1. Some other process are made in A#1, then it archive some file, including the .ttf file (which was not modified during the process).
The same font file is checked out from a build of project B, called B#1. Some process after, B#1 is also archiving the .ttf file.
Now Bob try to access the status page of the build B#1. The "Changes in dependencies" part of this page is trying to make some dependency links between projects based on the fingerprint of used artifacts. It found the .ttf font with a fingerprint which lead it to the build A#1, so it try to retrieve some info from this A#1 build. Because Bob cannot access any builds of project A, an error occure: " Error 330 (net::ERR_CONTENT_DECODING_FAILED)".
Patch:
I patch the source of Jenkins 1.515 by just removing the "Changes in dependencies" part in the file "core/src/main/resources/hudson/model/AbstractBuild/index.jelly".
|