[JENKINS-68208] "Create a job" button is not hidden to users lacking permission.

[frankie139506]

See JENKINS-68208.

Before: (User without Job/Create permission can see the button)

After: (User without Job/Create permission can't see the button now)

Proposed changelog entries

• Don't display the job creation button to a user without Job/Create permission.

Proposed upgrade guidelines

N/A

Submitter checklist

• (If applicable) Jira issue is well described
• Changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developer, depending on the change) and are in the imperative mood. Examples
  • Fill-in the Proposed changelog entries section only if there are breaking changes or other changes which may require extra steps from users during the upgrade
• Appropriate autotests or explanation to why this change has no tests
• New public classes, fields, and methods are annotated with @Restricted or have @since TODO Javadoc, as appropriate.
• For dependency updates: links to external changelogs and, if possible, full diffs

Desired reviewers

@mention

Maintainer checklist

Before the changes are marked as ready-for-merge:

• There are at least 2 approvals for the pull request and no outstanding requests for change
• Conversations in the pull request are over OR it is explicit that a reviewer does not block the change
• Changelog entries in the PR title and/or Proposed changelog entries are accurate, human-readable, and in the imperative mood
• Proper changelog labels are set so that the changelog can be generated automatically
• If the change needs additional upgrade steps from users, upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the PR title. (example)
• If it would make sense to backport the change to LTS, a Jira issue must exist, be a Bug or Improvement, and be labeled as lts-candidate to be considered (see query).

[daniel-beck]

This change is incorrect.

Authorization strategies like Project-based Matrix Authorization give users fine-grained control over who is allowed to create items where. To create an item in a folder, you only need permission to create an item inside that folder, not on the root level. That case would be broken by this change.

The problem here is probably related to the view owner being the user (for "My Views"), and a user has full permissions on itself to freely configure all properties. This seems to be a bad interaction not considered by the Groovy view, but the fix would be different from this change.

[frankie139506]

This change is incorrect.

Authorization strategies like Project-based Matrix Authorization give users fine-grained control over who is allowed to create items where. To create an item in a folder, you only need permission to create an item inside that folder, not on the root level. That case would be broken by this change.

The problem here is probably related to the view owner being the user (for "My Views"), and a user has full permissions on itself to freely configure all properties. This seems to be a bad interaction not considered by the Groovy view, but the fix would be different from this change.

Thanks for your suggestion.

[NotMyFault]

This PR is now ready for merge. We will merge it after ~24 hours if there is no negative feedback.
Please see the merge process documentation for more information about the merge process.
Thanks!