Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FIXED JENKINS-18633] User with the right "READ" is able to change main server description #906

Closed
wants to merge 1 commit into from

Conversation

@rbierman
Copy link

rbierman commented Aug 12, 2013

JENKINS-18633 Added an extra check to the ACL in the User model Class to prevent changing Jenkins.PERMISSIONS in the users view.

@cloudbees-pull-request-builder

This comment has been minimized.

Copy link

cloudbees-pull-request-builder commented Aug 12, 2013

core » jenkins_main_trunk #1078 UNSTABLE
Looks like there's a problem with this pull request

@jglick

This comment has been minimized.

Copy link
Member

jglick commented Aug 12, 2013

Seems like the wrong fix (and UserTest.testDoConfigSubmit fails). If I understand the original issue report correctly (I find it a bit hard to follow), the user can change the description at /me/my-view/views/All/, which is harmless, but this change is applied to everyone, which is not? Then the fix should be elsewhere, perhaps in AllView.doSubmitDescription, which I think should be checking permissions on Jenkins.instance, not this.

@jglick jglick closed this Aug 12, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.