[JIRA] (JENKINS-62054) Support action is displayed even if the user does not have the rights
Title: Message Title Arnaud Héritier commented on JENKINS-62054 Re: Support action is displayed even if the user does not have the rights Obviously there is a problem Pierre Beitz It's a not a security issue from my POV (Daniel Beck) because you cannot generate anything but I agree with you that we should fix it. Not sure about the fix you propose and why the permissions set in actions by Allan BURDAJEWICZ don't not work. Add Comment This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.205951.158783968.17963.1587916380210%40Atlassian.JIRA.
[JIRA] (JENKINS-62054) Support action is displayed even if the user does not have the rights
Title: Message Title Pierre Beitz commented on JENKINS-62054 Re: Support action is displayed even if the user does not have the rights Arnaud Héritier here is the link where I detected this: https://ci.jenkins.io/job/Plugins/job/shelve-project-plugin/job/master/29/support/ I must admit I don't know how the management of permissions for an action in Jelly works. I have the same pattern in the shelve project plugin and I drive this with the java code (like I did in the PR for this task). Add Comment This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.205951.158783968.17961.1587915540179%40Atlassian.JIRA.
[JIRA] (JENKINS-62054) Support action is displayed even if the user does not have the rights
Title: Message Title Arnaud Héritier commented on JENKINS-62054 Re: Support action is displayed even if the user does not have the rights Pierre Beitz Could it be with some specific settings and/or a specific security scheme ? It's surprising (I didn't test) because the actions are supposed to to require the permission SupportPlugin.CREATE_BUNDLE https://github.com/jenkinsci/support-core-plugin/blob/master/src/main/resources/com/cloudbees/jenkins/support/actions/SupportAbstractItemAction/action.jelly#L5 https://github.com/jenkinsci/support-core-plugin/blob/master/src/main/resources/com/cloudbees/jenkins/support/actions/SupportComputerAction/action.jelly#L5 https://github.com/jenkinsci/support-core-plugin/blob/master/src/main/resources/com/cloudbees/jenkins/support/actions/SupportRunAction/action.jelly#L5 Also on our products when I don't have an admin permission I do not see them (but we are probably not using the lastest version of support-core). cc Allan BURDAJEWICZ Add Comment This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.205951.158783968.17926.1587901200193%40Atlassian.JIRA.
[JIRA] (JENKINS-62054) Support action is displayed even if the user does not have the rights
Title: Message Title Pierre Beitz updated JENKINS-62054 Jenkins / JENKINS-62054 Support action is displayed even if the user does not have the rights Change By: Pierre Beitz Status: In Progress Review Add Comment This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.205951.158783968.17803.1587839820092%40Atlassian.JIRA.
[JIRA] (JENKINS-62054) Support action is displayed even if the user does not have the rights
Title: Message Title Pierre Beitz started work on JENKINS-62054 Change By: Pierre Beitz Status: Open In Progress Add Comment This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.205951.158783968.17802.1587839700186%40Atlassian.JIRA.
[JIRA] (JENKINS-62054) Support action is displayed even if the user does not have the rights
Title: Message Title Pierre Beitz created an issue Jenkins / JENKINS-62054 Support action is displayed even if the user does not have the rights Issue Type: Bug Assignee: Pierre Beitz Components: support-core-plugin Created: 2020-04-25 18:34 Environment: Any version of the plugin Any core version Priority: Major Reporter: Pierre Beitz Browse a Jenkins instance without admin rights (noticed with anonymous on the community Jenkins), and observe that you can see the Support link on the left of a Job. You can click on it and see the bundle generation screen. This is only a display issue, you cannot do more as the rest is protected. The screen itself doesn't show information you are not allowed to see. Same is also visible for the Computers. Add Comment