[JENKINS-70931] Remove Prototype Ajax.Request usages from hudson-behavior.js
#7951
Conversation
timja
force-pushed
the
JENKINS-70931-hudson-behavior
branch
2 times, most recently
from
df81a05
to
8eae594
Compare
basil
changed the title
Ajax.Request usages from hudson-behavior.js
timja
added
developer
…or.js Co-authored-by: Basil Crow <me@basilcrow.com>
timja
force-pushed
the
JENKINS-70931-hudson-behavior
branch
from
ed2df1c
to
3c890bd
Compare
| @@ -94,89 +77,4 @@ public void onlyAdminCanReachTheDoCheck() throws Exception { | |||
| userWc.login(USER); | |||
| assertEquals(HttpURLConnection.HTTP_FORBIDDEN, userWc.getPage(request).getWebResponse().getStatusCode()); | |||
| } | |||
|
|
|||
| @Test | |||
| @Issue("SECURITY-794") | |||
There was a problem hiding this comment.
Why is this removed? Not relevant anymore?
There was a problem hiding this comment.
It was a very hacky test relying on internals of htmlunit which changed when switching to fetch I wasn’t able to replicate it and it didn’t seem like a critical test
yaroslavafenkin
added
security-approved
|
/label ready-for-merge This PR is now ready for merge, after ~24 hours, we will merge it if there's no negative feedback. Thanks! |
comment-ops-bot
bot
added
the
ready-for-merge
Yeah that could be pretty useful. Also, have you looked for plugins expecting to have |
|
I have checked, it’s in a comment here and like you I found no results |
Fixed |
| @@ -228,50 +228,73 @@ var FormChecker = { | |||
| * @param url | |||
| * Remote doXYZ URL that performs the check. Query string should include the field value. | |||
| * @param method | |||
| * HTTP method. GET or POST. I haven't confirmed specifics, but some browsers seem to cache GET requests. | |||
| * Unused, kept to maintain compatibility with the old signature. | |||
There was a problem hiding this comment.
matrix-auth and azure-ad call this with "GET". This changes the existing behavior. Not sure there is a valid justification for that.
If there is a valid justification for changing the existing behavior, then this calling convention is pretty ugly. Better to define a new two-argument method and deprecate the three-argument one, logging a warning if anyone is still calling the three-argument version and filing PRs to update consumers.
There was a problem hiding this comment.
JavaScript doesn't have function overloading.
https://stackoverflow.com/questions/456177/function-overloading-in-javascript-best-practices
We're stuck with that function with that name.
We could create a new function with a new name and use an object for parameters to make it more flexible in future
There was a problem hiding this comment.
Still not sure there is a valid justification for changing the existing behavior.
There was a problem hiding this comment.
core 2.285 changed the default to post, these 2 would have been missed by accident as they will be the only consumers calling it directly.
anyway I've added some compat so they will be able to set GET for now and will file separate PRs to switch them to post if that's okay?
timja
added
skip-changelog
|
Still failing ATH as far as I can tell. |
|
Code looks good. Once this gets a passing ATH run (or at least one that is no worse than trunk builds) I will be ready to approve this. |
|
ATH passed so this is good to go from my perspective. |
There was a problem hiding this comment.
Thanks for your hard work cleaning up this patch and getting ATH to pass!
This PR is now ready for merge. We will merge it after approximately 24 hours if there is no negative feedback. Please see the merge process documentation for more information about the merge process. Thanks!
basil
added
the
ready-for-merge
| var idx = url.indexOf("?"); | ||
| params.parameters = url.substring(idx + 1); | ||
| url = url.substring(0, idx); | ||
| } | ||
| new Ajax.Request(url, params); | ||
|
|
||
| const parsedUrl = method === "get" ? `${url}?${params.parameters}` : url; |
There was a problem hiding this comment.
This is a breaking change when the request method is GET, as params.parameters is undefined.
matrix-auth:
(The ] is from the internal format of form validation requested in the plugin. The original url looks like /jenkins/manage/descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName?value=%5BUSER%3AtheUsername%5D)
| @@ -242,36 +242,65 @@ var FormChecker = { | |||
| }, | |||
|
|
|||
| sendRequest: function (url, params) { | |||
There was a problem hiding this comment.
I realize I'm late to the party, but are we cool with breaking this function? It's used in plugins and the response parameter in onComplete having no responseText is a bit of a surprise to all the scripts.
There was a problem hiding this comment.
Could you clarify what's being broken? What scripts?
There was a problem hiding this comment.
See JENKINS-70931.
Testing done
FormChecker has been tested with the timezone field on the user configuration page.
On page load a doCheck with no attributes is done and works, and then when selecting other timezones it also works
Help fetching has been tested by putting a breakpoint on the code and then clicking help buttons, breakpoint was hit and help areas were loaded.
Lazy map was tested by going to the build time trend and seeing the breakpoint hit on page load and the page looked correct.
Stop button by adding a breakpoint on the code, starting a freestyle build, ensuring the breakpoint was hit and that it behaved as expected.
descriptionForm by editing a freestyle project description, putting a breakpoint ensuring the code was executed behaving as expected
refreshPart was tested by adding a breakpoint and making sure it was hit when executors updated.
validateButton was tested by clicking test connection on the slack plugins global configuration, ensuring breakpoint was hit and it behaved as expected
Proposed changelog entries
Proposed upgrade guidelines
N/A
Submitter checklist
@Restrictedor have@since TODOJavadocs, as appropriate.@Deprecated(since = "TODO")or@Deprecated(forRemoval = true, since = "TODO"), if applicable.evalto ease future introduction of Content Security Policy (CSP) directives (see documentation).Desired reviewers
@mention
Maintainer checklist
Before the changes are marked as
ready-for-merge:upgrade-guide-neededlabel is set and there is a Proposed upgrade guidelines section in the pull request title (see example).lts-candidateto be considered (see query).