SECURITY-1022: Added checkPermission calls

src/main/java/org/jenkinsci/plugins/maven_artifact_choicelistprovider/artifactory/ArtifactoryChoiceListProvider.java

@@ -54,16 +54,23 @@ public String getDisplayName() {
 			return "Artifactory Artifact Choice Parameter";
 		}
 
-		public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item instance) {
-			return new StandardListBoxModel().includeEmptyValue().includeMatchingAs(ACL.SYSTEM, instance,
+		public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item pItem) {
+		    // SECURITY-1022
+		    pItem.checkPermission(Item.CONFIGURE);
+
+			return new StandardListBoxModel().includeEmptyValue().includeMatchingAs(Jenkins.getAuthentication(), pItem,
 					StandardUsernamePasswordCredentials.class, Collections.<DomainRequirement> emptyList(),
 					CredentialsMatchers.instanceOf(StandardUsernamePasswordCredentials.class));
 		}
 
 		@POST
-		public FormValidation doTest(@QueryParameter String url, @QueryParameter String credentialsId,
+		public FormValidation doTest(@AncestorInPath Item pItem, @QueryParameter String url, @QueryParameter String credentialsId,
 		        @QueryParameter String groupId, @QueryParameter String artifactId, @QueryParameter String packaging,
 				@QueryParameter String classifier, @QueryParameter boolean reverseOrder) {
+
+		    // SECURITY-1022
+            pItem.checkPermission(Item.CONFIGURE);
+
 			final IVersionReader service = new ArtifactorySearchService(url);
 
 			// If configured, set User Credentials

src/main/java/org/jenkinsci/plugins/maven_artifact_choicelistprovider/nexus/NexusChoiceListProvider.java

@@ -15,7 +15,6 @@
 import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
-import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import com.cloudbees.plugins.credentials.CredentialsMatchers;
 import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
@@ -25,9 +24,9 @@
 
 import hudson.Extension;
 import hudson.model.Item;
-import hudson.security.ACL;
 import hudson.util.FormValidation;
 import hudson.util.ListBoxModel;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 
 public class NexusChoiceListProvider extends AbstractMavenArtifactChoiceListProvider {
@@ -66,14 +65,21 @@ public String getDisplayName() {
             return "Nexus Artifact Choice Parameter";
         }
 
-        public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item instance) {
-            return new StandardListBoxModel().includeEmptyValue().includeMatchingAs(ACL.SYSTEM, instance, StandardUsernamePasswordCredentials.class,
+        public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item pItem) {
+            // SECURITY-1022
+            pItem.checkPermission(Item.CONFIGURE);
+
+            return new StandardListBoxModel().includeEmptyValue().includeMatchingAs(Jenkins.getAuthentication(), pItem, StandardUsernamePasswordCredentials.class,
                     Collections.<DomainRequirement> emptyList(), CredentialsMatchers.instanceOf(StandardUsernamePasswordCredentials.class));
         }
 
         @POST
-        public FormValidation doTest(@QueryParameter String url, @QueryParameter String credentialsId, @QueryParameter String repositoryId, @QueryParameter String groupId,
+        public FormValidation doTest(@AncestorInPath Item pItem, @QueryParameter String url, @QueryParameter String credentialsId, @QueryParameter String repositoryId, @QueryParameter String groupId,
                 @QueryParameter String artifactId, @QueryParameter String packaging, @QueryParameter String classifier, @QueryParameter boolean reverseOrder) {
+
+            // SECURITY-1022
+            pItem.checkPermission(Item.CONFIGURE);
+
             final IVersionReader service = new NexusLuceneSearchService(url);
 
             // If configured, set User Credentials

src/main/java/org/jenkinsci/plugins/maven_artifact_choicelistprovider/nexus3/Nexus3ChoiceListProvider.java

@@ -23,9 +23,9 @@
 
 import hudson.Extension;
 import hudson.model.Item;
-import hudson.security.ACL;
 import hudson.util.FormValidation;
 import hudson.util.ListBoxModel;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 
 public class Nexus3ChoiceListProvider extends AbstractMavenArtifactChoiceListProvider {
@@ -59,14 +59,21 @@ public String getDisplayName() {
             return "Nexus3 Artifact Choice Parameter";
         }
 
-        public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item instance) {
-            return new StandardListBoxModel().includeEmptyValue().includeMatchingAs(ACL.SYSTEM, instance, StandardUsernamePasswordCredentials.class,
+        public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item pItem) {
+            // SECURITY-1022
+            pItem.checkPermission(Item.CONFIGURE);
+
+            return new StandardListBoxModel().includeEmptyValue().includeMatchingAs(Jenkins.getAuthentication(), pItem, StandardUsernamePasswordCredentials.class,
                     Collections.<DomainRequirement> emptyList(), CredentialsMatchers.instanceOf(StandardUsernamePasswordCredentials.class));
         }
 
         @POST
-        public FormValidation doTest(@QueryParameter String url, @QueryParameter String credentialsId, @QueryParameter String repositoryId, @QueryParameter String groupId,
+        public FormValidation doTest(@AncestorInPath Item pItem, @QueryParameter String url, @QueryParameter String credentialsId, @QueryParameter String repositoryId, @QueryParameter String groupId,
                 @QueryParameter String artifactId, @QueryParameter String packaging, @QueryParameter String classifier, @QueryParameter boolean reverseOrder) {
+
+            // SECURITY-1022
+            pItem.checkPermission(Item.CONFIGURE);
+
             final IVersionReader service = new Nexus3RestApiSearchService(url);
 
             // If configured, set User Credentials