Permission check during view configuration (getACL)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Permission check during view configuration (getACL)

Ulli Hafner
I am trying to secure a POST method that is invoked during configuration of a view column. 

I started with a permission check for View.CONFIGURE but this was too restrictive and does not work with role based authorization strategy.

When I add an ItemGroup object as  @AncestorInPath then I don’t find a corresponding ACL method in Jenkins.   

So my planned code looks like:

@POST
public ListBoxModel doFillTypeItems(@AncestorInPath final ItemGroup<?> item) {
if (item == null) {
if (Jenkins.get().hasPermission(View.CONFIGURE)) {
return createTypesModel();
}
}
if (Jenkins.get().getAuthorizationStrategy().getACL(item).hasPermission(View.CONFIGURE)) {
return createTypesModel();
}
return new ListBoxModel();
}
But there is no getAcl method for item groups. What is the correct way to authenticate here?

What I also tried is to use a View. This code compiles but I do not get the view as AncestorInPath.

@POST
public ListBoxModel doFillTypeItems(@AncestorInPath final View view) {…}

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/1E72C06F-71F9-4835-A778-B5AEE9AE2865%40gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Permission check during view configuration (getACL)

Ulli Hafner
From the Jira bug report it looks like that a user can edit a view even if he has no permission defined for a VIEW, is this intended?  

Am 21.03.2021 um 23:36 schrieb Ullrich Hafner <[hidden email]>:

I am trying to secure a POST method that is invoked during configuration of a view column. 

I started with a permission check for View.CONFIGURE but this was too restrictive and does not work with role based authorization strategy.

When I add an ItemGroup object as  @AncestorInPath then I don’t find a corresponding ACL method in Jenkins.   

So my planned code looks like:

@POST
public ListBoxModel doFillTypeItems(@AncestorInPath final ItemGroup<?> item) {
if (item == null) {
if (Jenkins.get().hasPermission(View.CONFIGURE)) {
return createTypesModel();
}
}
if (Jenkins.get().getAuthorizationStrategy().getACL(item).hasPermission(View.CONFIGURE)) {
return createTypesModel();
}
return new ListBoxModel();
}
But there is no getAcl method for item groups. What is the correct way to authenticate here?

What I also tried is to use a View. This code compiles but I do not get the view as AncestorInPath.

@POST
public ListBoxModel doFillTypeItems(@AncestorInPath final View view) {…}


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/0F4F4312-B2E2-428C-B873-A6CE741D4668%40gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Permission check during view configuration (getACL)

Jesse Glick-4
In reply to this post by Ulli Hafner
On Sun, Mar 21, 2021 at 6:36 PM Ullrich Hafner <[hidden email]> wrote:
there is no getAcl method for item groups

Normally an `ItemGroup` will in fact be `instanceof AccessControlled` (via `Jenkins` or `AbstractFolder`).

(I cannot say I understand the intent of `View` permissions so I am not attempting to answer your question broadly. )

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr02%3Dq8FKH4j0tkknRHOvrpDD%3DaKnzB1nnBZvRhynK_hug%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Permission check during view configuration (getACL)

Ulli Hafner
I see, then I just need to cast the view group accordingly. That works, thanks!



Am 22.03.2021 um 13:53 schrieb Jesse Glick <[hidden email]>:

On Sun, Mar 21, 2021 at 6:36 PM Ullrich Hafner <[hidden email]> wrote:
there is no getAcl method for item groups

Normally an `ItemGroup` will in fact be `instanceof AccessControlled` (via `Jenkins` or `AbstractFolder`).

(I cannot say I understand the intent of `View` permissions so I am not attempting to answer your question broadly. )

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr02%3Dq8FKH4j0tkknRHOvrpDD%3DaKnzB1nnBZvRhynK_hug%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/95A057B0-D507-4403-A266-40ADAC56A841%40gmail.com.