Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #96 from jenkinsci-cert/SECURITY-385
[SECURITY-385] Only suggest visible views in search
  • Loading branch information
jglick committed Jan 5, 2017
2 parents 4ed5c85 + e45a703 commit 13905d8
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 1 deletion.
2 changes: 1 addition & 1 deletion core/src/main/java/jenkins/model/Jenkins.java
Expand Up @@ -1887,7 +1887,7 @@ public SearchIndexBuilder makeSearchIndex() {
})
.add(new CollectionSearchIndex() {// for views
protected View get(String key) { return getView(key); }
protected Collection<View> all() { return views; }
protected Collection<View> all() { return viewGroupMixIn.getViews(); }
});
}

Expand Down
39 changes: 39 additions & 0 deletions test/src/test/java/hudson/search/SearchTest.java
Expand Up @@ -32,11 +32,19 @@
import hudson.model.FreeStyleProject;
import hudson.model.ListView;

import java.io.IOException;
import java.net.URL;

import java.util.ArrayList;
import java.util.Collections;
import java.util.List;

import hudson.model.User;
import hudson.model.View;
import hudson.security.ACL;
import hudson.security.AuthorizationStrategy;
import hudson.security.GlobalMatrixAuthorizationStrategy;
import jenkins.model.Jenkins;
import net.sf.json.JSONArray;
import net.sf.json.JSONObject;
import net.sf.json.JSONSerializer;
Expand Down Expand Up @@ -378,6 +386,37 @@ public void testCompletionOutsideView() throws Exception {

assertTrue(suggest(j.jenkins.getSearchIndex(),"foo").contains(p));
}

@Issue("SECURITY-385")
@Test
public void testInaccessibleViews() throws IOException {
j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
GlobalMatrixAuthorizationStrategy strategy = new GlobalMatrixAuthorizationStrategy();
strategy.add(Jenkins.READ, "alice");
j.jenkins.setAuthorizationStrategy(strategy);

j.jenkins.addView(new ListView("foo", j.jenkins));

// SYSTEM can see all the views
assertEquals("two views exist", 2, Jenkins.getInstance().getViews().size());
List<SearchItem> results = new ArrayList<>();
j.jenkins.getSearchIndex().suggest("foo", results);
assertEquals("nonempty results list", 1, results.size());


// Alice can't
assertFalse("no permission", j.jenkins.getView("foo").getACL().hasPermission(User.get("alice").impersonate(), View.READ));
ACL.impersonate(User.get("alice").impersonate(), new Runnable() {
@Override
public void run() {
assertEquals("no visible views", 0, Jenkins.getInstance().getViews().size());

List<SearchItem> results = new ArrayList<>();
j.jenkins.getSearchIndex().suggest("foo", results);
assertEquals("empty results list", Collections.emptyList(), results);
}
});
}

@Test
public void testSearchWithinFolders() throws Exception {
Expand Down

0 comments on commit 13905d8

Please sign in to comment.