Skip to content
Permalink
Browse files

[JENKINS-50324] User without READ cannot logout - or even ask who the…

…y are

(cherry picked from commit b5ed977)
  • Loading branch information
Wadeck authored and olivergondza committed Apr 19, 2018
1 parent 5e8cd50 commit 8a2f9865e8dfc4b25de603b693dcc09a99be85af
Showing with 27 additions and 1 deletion.
  1. +1 −1 core/src/main/java/hudson/cli/CLICommand.java
  2. +26 −0 test/src/test/java/hudson/cli/CLIActionTest.java
@@ -275,7 +275,7 @@ public int main(List<String> args, Locale locale, InputStream stdin, PrintStream
if (auth==Jenkins.ANONYMOUS)
auth = loadStoredAuthentication();
sc.setAuthentication(auth); // run the CLI with the right credential
if (!(this instanceof LoginCommand || this instanceof HelpCommand))
if (!(this instanceof LoginCommand || this instanceof LogoutCommand || this instanceof HelpCommand || this instanceof WhoAmICommand))
Jenkins.getActiveInstance().checkPermission(Jenkins.READ);
return run();
} catch (CmdLineException e) {
@@ -295,6 +295,32 @@ public void noPreAuthOptionHandlerInfoLeak() throws Exception {
assertExitCode(6, false, jar, "get-view", "v2"); // Error code 3 before SECURITY-754
}

@Test
@Issue("JENKINS-50324")
public void userWithoutReadCanLogout() throws Exception {
String userWithRead = "userWithRead";
String userWithoutRead = "userWithoutRead";

File jar = tmp.newFile("jenkins-cli.jar");
FileUtils.copyURLToFile(j.jenkins.getJnlpJars("jenkins-cli.jar").getURL(), jar);
j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
.grant(Jenkins.ADMINISTER).everywhere().to(ADMIN)
.grant(Jenkins.READ).everywhere().to(userWithRead)
// nothing to userWithoutRead
);

checkCanLogout(jar, ADMIN);
checkCanLogout(jar, userWithRead);
checkCanLogout(jar, userWithoutRead);
}

private void checkCanLogout(File cliJar, String userLoginAndPassword) throws Exception {
assertExitCode(0, false, cliJar, "-remoting", "login", "--username", userLoginAndPassword, "--password", userLoginAndPassword);
assertExitCode(0, false, cliJar, "-remoting", "who-am-i");
assertExitCode(0, false, cliJar, "-remoting", "logout");
}

@TestExtension("encodingAndLocale")
public static class TestDiagnosticCommand extends CLICommand {

0 comments on commit 8a2f986

Please sign in to comment.
You can’t perform that action at this time.