[JENKINS-62264] User with MANAGE permissions can access node monitori…

…ng (#4724) * [JENKINS-62264] User with MANAGE permissions can access node monitoring And submit its configuration. * [JENKINS-62264] Allow Overall/Manage to refresh nodes status
jenkinsci · May 28, 2020 · c8bd0f0 · c8bd0f0
1 parent f5fdc4b
commit c8bd0f0
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 9 deletions.
diff --git a/core/src/main/java/hudson/model/ComputerSet.java b/core/src/main/java/hudson/model/ComputerSet.java
@@ -220,7 +220,7 @@ public void do_launchAll(StaplerRequest req, StaplerResponse rsp) throws IOExcep
      */
     @RequirePOST
     public void doUpdateNow( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
-        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+        Jenkins.get().checkPermission(Jenkins.MANAGE);
 
         for (NodeMonitor nodeMonitor : NodeMonitor.getAll()) {
             Thread t = nodeMonitor.triggerUpdate();
@@ -343,7 +343,7 @@ public FormValidation doCheckName(@QueryParameter String value) throws IOExcepti
     public synchronized HttpResponse doConfigSubmit( StaplerRequest req) throws IOException, ServletException, FormException {
         BulkChange bc = new BulkChange(MONITORS_OWNER);
         try {
-            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+            Jenkins.get().checkPermission(Jenkins.MANAGE);
             monitors.rebuild(req,req.getSubmittedForm(),getNodeMonitorDescriptors());
 
             // add in the rest of instances are ignored instances

diff --git a/core/src/main/resources/hudson/model/ComputerSet/configure.jelly b/core/src/main/resources/hudson/model/ComputerSet/configure.jelly
@@ -27,8 +27,8 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt">
-  <l:layout permission="${app.SYSTEM_READ}" title="${%Node Monitoring Configuration}">
-    <j:set var="readOnlyMode" value="${!app.hasPermission(app.ADMINISTER)}" />
+  <l:layout permissions="${app.MANAGE_AND_SYSTEM_READ}" title="${%Node Monitoring Configuration}">
+    <j:set var="readOnlyMode" value="${!app.hasPermission(app.MANAGE)}" />
     <st:include page="sidepanel.jelly" />
     <l:main-panel>
       <!-- to make the form field binding work -->
@@ -40,12 +40,12 @@ THE SOFTWARE.
                           descriptors="${it.nodeMonitorDescriptors}"
                           instances="${it.nonIgnoredMonitors}" />
 
-        <l:isAdmin>
+        <l:hasAdministerOrManage>
           <f:bottomButtonBar>
             <f:submit value="${%OK}" />
             <f:apply />
           </f:bottomButtonBar>
-        </l:isAdmin>
+        </l:hasAdministerOrManage>
       </f:form>
       <st:adjunct includes="lib.form.confirm" />
     </l:main-panel>

diff --git a/core/src/main/resources/hudson/model/ComputerSet/index.jelly b/core/src/main/resources/hudson/model/ComputerSet/index.jelly
@@ -94,13 +94,13 @@ THE SOFTWARE.
       </tr>
 
     </table>
-    <j:if test="${app.hasPermission(app.ADMINISTER)}">
+    <l:hasAdministerOrManage>
       <div align="right" style="margin-top:0.5em">
         <form method="post" action="updateNow">
           <s:submit value="${%Refresh status}"/>
         </form>
       </div>
-    </j:if>
+    </l:hasAdministerOrManage>
   </l:main-panel>
 </l:layout>
 </j:jelly>
diff --git a/core/src/main/resources/hudson/model/ComputerSet/sidepanel.jelly b/core/src/main/resources/hudson/model/ComputerSet/sidepanel.jelly
@@ -36,7 +36,7 @@ THE SOFTWARE.
       <l:task href="new" icon="icon-new-computer icon-md" permission="${createPermission}" title="${%New Node}"/>
       <l:task href="${rootURL}/configureClouds" icon="icon-health-40to59 icon-md" permission="${app.SYSTEM_READ}"
               title="${app.hasPermission(app.ADMINISTER) ? '%Configure Clouds' : '%View Clouds'}"/>
-      <l:task href="configure" icon="icon-gear2 icon-md" permission="${app.SYSTEM_READ}" title="${%Node Monitoring}"/>
+      <l:task href="configure" icon="icon-gear2 icon-md" permissions="${app.MANAGE_AND_SYSTEM_READ}" title="${%Node Monitoring}"/>
     </l:tasks>
     <t:queue items="${app.queue.items}" />
     <t:executors />

diff --git a/test/src/test/java/hudson/model/ComputerSetTest.java b/test/src/test/java/hudson/model/ComputerSetTest.java
@@ -24,15 +24,22 @@
 package hudson.model;
 
 import com.gargoylesoftware.htmlunit.html.HtmlForm;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
 import hudson.cli.CLICommandInvoker;
 import hudson.slaves.DumbSlave;
 import static org.hamcrest.Matchers.*;
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.Assert.assertEquals;
+
+import jenkins.model.Jenkins;
 import org.junit.Rule;
 import org.junit.Test;
 import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.JenkinsRule.WebClient;
+import org.jvnet.hudson.test.MockAuthorizationStrategy;
+
+import java.net.HttpURLConnection;
 
 /**
  * @author Kohsuke Kawaguchi
@@ -80,4 +87,45 @@ public void getComputerNames() throws Exception {
         j.createSlave("anAnotherNode", "", null);
         assertThat(ComputerSet.getComputerNames(), containsInAnyOrder("aNode", "anAnotherNode"));
     }
+
+    @Test
+    public void managePermissionCanConfigure() throws Exception {
+        final String USER = "user";
+        final String MANAGER = "manager";
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+                // Read access
+                .grant(Jenkins.READ).everywhere().to(USER)
+
+                // Read and Manage
+                .grant(Jenkins.READ).everywhere().to(MANAGER)
+                .grant(Jenkins.MANAGE).everywhere().to(MANAGER)
+        );
+
+        JenkinsRule.WebClient wc = j.createWebClient()
+                .withThrowExceptionOnFailingStatusCode(false);
+
+        // Jenkins.READ can access /computer but not /computer/configure
+        wc.login(USER);
+        HtmlPage page = wc.goTo("computer/");
+        assertEquals(HttpURLConnection.HTTP_OK, page.getWebResponse().getStatusCode());
+        String responseContent = page.getWebResponse().getContentAsString();
+        // the "Node Monitoring" link in the sidepanel is not visible
+        assertThat(responseContent, not(containsString("Node Monitoring")));
+        page = wc.goTo("computer/configure");
+        assertEquals(HttpURLConnection.HTTP_FORBIDDEN, page.getWebResponse().getStatusCode());
+
+        // Jenkins.MANAGER can access /computer and /computer/configure
+        wc.login(MANAGER);
+        page = wc.goTo("computer/");
+        assertEquals(HttpURLConnection.HTTP_OK, page.getWebResponse().getStatusCode());
+        responseContent = page.getWebResponse().getContentAsString();
+        // the "Node Monitoring" link in the sidepanel is visible
+        assertThat(responseContent, containsString("Node Monitoring"));
+        page = wc.goTo("computer/configure");
+        assertEquals(HttpURLConnection.HTTP_OK, page.getWebResponse().getStatusCode());
+        // and the OK (save) button is visible
+        responseContent = page.getWebResponse().getContentAsString();
+        assertThat(responseContent, containsString("OK"));
+    }
 }