[JENKINS-62278] Jenkins.MANAGE access global config (#245)

pom.xml

@@ -135,6 +135,8 @@ THE SOFTWARE.
   </scm>
 
   <properties>
+    <!-- To be removed once Jenkins.MANAGE gets out of beta -->
+    <useBeta>true</useBeta>
     <revision>2.14.2</revision>
     <changelist>-SNAPSHOT</changelist>
     <gitHubRepo>jenkinsci/subversion-plugin</gitHubRepo>

src/main/java/hudson/scm/SubversionSCM.java

@@ -90,6 +90,7 @@
 import hudson.model.TaskListener;
 import hudson.security.ACL;
 import hudson.security.ACLContext;
+import hudson.security.Permission;
 import hudson.util.ListBoxModel;
 import jenkins.model.Jenkins;
 import hudson.remoting.Channel;
@@ -2218,6 +2219,12 @@ public boolean isBrowserReusable(SubversionSCM x, SubversionSCM y) {
             return true;
         }
 
+        @Nonnull
+        @Override
+        public Permission getRequiredGlobalConfigPagePermission() {
+            return Jenkins.MANAGE;
+        }
+
         /**
          * Creates {@link ISVNAuthenticationProvider} backed by {@link #credentials}.
          * This method must be invoked on the master, but the returned object is remotable.

src/test/java/hudson/scm/SubversionSCMTest.java

@@ -35,17 +35,21 @@
 import com.gargoylesoftware.htmlunit.html.HtmlPage;
 import hudson.EnvVars;
 import hudson.FilePath;
+import hudson.Functions;
 import hudson.Launcher;
 import hudson.Proc;
 import hudson.model.*;
 import hudson.scm.ChangeLogSet.Entry;
 import hudson.scm.SubversionSCM.ModuleLocation;
 import hudson.scm.browsers.Sventon;
 import hudson.scm.subversion.*;
+import hudson.security.ACL;
+import hudson.security.ACLContext;
 import hudson.slaves.DumbSlave;
 import hudson.triggers.SCMTrigger;
 import hudson.util.FormValidation;
 import hudson.util.StreamTaskListener;
+import jenkins.model.Jenkins;
 import jenkins.scm.impl.subversion.RemotableSVNErrorMessage;
 import org.dom4j.Document;
 import org.dom4j.io.DOMReader;
@@ -1807,4 +1811,29 @@ private void invokeTestPollingExternalsForFile() throws Exception {
         // should detect change
         assertTrue(p.poll(StreamTaskListener.fromStdout()).hasChanges());
     }
-}    
+
+    @Test
+    public void manageShouldAccessGlobalConfig() {
+        final String USER = "user";
+        final String MANAGER = "manager";
+        r.jenkins.setSecurityRealm(r.createDummySecurityRealm());
+        r.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+                // Read access
+                .grant(Jenkins.READ).everywhere().to(USER)
+
+                // Read and Manage
+                .grant(Jenkins.READ).everywhere().to(MANAGER)
+                .grant(Jenkins.MANAGE).everywhere().to(MANAGER)
+        );
+
+        try (ACLContext c = ACL.as(User.getById(USER, true))) {
+            Collection<Descriptor> descriptors = Functions.getSortedDescriptorsForGlobalConfigUnclassified();
+            assertTrue("Global configuration should not be accessible to READ users", descriptors.size() == 0);
+        }
+        try (ACLContext c = ACL.as(User.getById(MANAGER, true))) {
+            Collection<Descriptor> descriptors = Functions.getSortedDescriptorsForGlobalConfigUnclassified();
+            Optional<Descriptor> found = descriptors.stream().filter(descriptor -> descriptor instanceof SubversionSCM.DescriptorImpl).findFirst();
+            assertTrue("Global configuration should be accessible to MANAGE users", found.isPresent());
+        }
+    }
+}