Merge pull request #378 from amuniz/JENKINS-73163

[JENKINS-73163] Allow users with Overall/Manage permission to configure GitHub Servers
jenkinsci · May 13, 2024 · c6481b4 · c6481b4
2 parents 5aa9d5c + 3f74022
commit c6481b4
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 5 deletions.
diff --git a/pom.xml b/pom.xml
@@ -53,6 +53,7 @@
         <jenkins.version>2.414.3</jenkins.version>
         <release.skipTests>false</release.skipTests>
         <tagNameFormat>v@{project.version}</tagNameFormat>
+        <useBeta>true</useBeta> <!-- For Jenkins.MANAGE permission -->
     </properties>
 
     <repositories>

diff --git a/src/main/java/org/jenkinsci/plugins/github/config/GitHubServerConfig.java b/src/main/java/org/jenkinsci/plugins/github/config/GitHubServerConfig.java
@@ -348,7 +348,7 @@ public String getDisplayName() {
         @SuppressWarnings("unused")
         public ListBoxModel doFillCredentialsIdItems(@QueryParameter String apiUrl,
                                                      @QueryParameter String credentialsId) {
-            if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) {
+            if (!Jenkins.getInstance().hasPermission(Jenkins.MANAGE)) {
                 return new StandardListBoxModel().includeCurrentValue(credentialsId);
             }
             return new StandardListBoxModel()
@@ -367,7 +367,7 @@ public ListBoxModel doFillCredentialsIdItems(@QueryParameter String apiUrl,
         public FormValidation doVerifyCredentials(
                 @QueryParameter String apiUrl,
                 @QueryParameter String credentialsId) throws IOException {
-            Jenkins.getActiveInstance().checkPermission(Jenkins.ADMINISTER);
+            Jenkins.getActiveInstance().checkPermission(Jenkins.MANAGE);
 
             GitHubServerConfig config = new GitHubServerConfig(credentialsId);
             config.setApiUrl(apiUrl);

diff --git a/src/main/java/org/jenkinsci/plugins/github/config/HookSecretConfig.java b/src/main/java/org/jenkinsci/plugins/github/config/HookSecretConfig.java
@@ -62,7 +62,7 @@ public String getDisplayName() {
 
         @SuppressWarnings("unused")
         public ListBoxModel doFillCredentialsIdItems(@QueryParameter String credentialsId) {
-            if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) {
+            if (!Jenkins.getInstance().hasPermission(Jenkins.MANAGE)) {
                 return new StandardListBoxModel().includeCurrentValue(credentialsId);
             }
 

diff --git a/src/test/java/org/jenkinsci/plugins/github/config/GitHubServerConfigIntegrationTest.java b/src/test/java/org/jenkinsci/plugins/github/config/GitHubServerConfigIntegrationTest.java
@@ -107,7 +107,9 @@ public void shouldNotAllow_CredentialsLeakage_usingVerifyCredentials() throws Ex
         j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
 
         GlobalMatrixAuthorizationStrategy strategy = new GlobalMatrixAuthorizationStrategy();
-        strategy.add(Jenkins.ADMINISTER, "admin");
+        Jenkins.MANAGE.setEnabled(true);
+        strategy.add(Jenkins.MANAGE, "admin");
+        strategy.add(Jenkins.READ, "admin");
         strategy.add(Jenkins.READ, "user");
         j.jenkins.setAuthorizationStrategy(strategy);
 
@@ -121,7 +123,7 @@ public void shouldNotAllow_CredentialsLeakage_usingVerifyCredentials() throws Ex
 
             assertThat(attackerServlet.secretCreds, isEmptyOrNullString());
         }
-        { // only admin can verify the credentials
+        { // only admin (with Manage permission) can verify the credentials
             JenkinsRule.WebClient wc = j.createWebClient();
             wc.getOptions().setThrowExceptionOnFailingStatusCode(false);
             wc.login("admin");