Skip to content

Commit

Permalink
[JENKINS-73027] Allow users with Overall/Manage permission to configu…
Browse files Browse the repository at this point in the history
…re config files (#330)
  • Loading branch information
amuniz authored Apr 18, 2024
1 parent e1caeb9 commit ce072ff
Show file tree
Hide file tree
Showing 8 changed files with 21 additions and 12 deletions.
2 changes: 2 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@
<gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
<jenkins.version>2.414.3</jenkins.version>
<hpi.compatibleSinceVersion>2.15</hpi.compatibleSinceVersion>
<!-- Needed to use Jenkins.MANAGE -->
<useBeta>true</useBeta>
</properties>

<developers>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ of this software and associated documentation files (the "Software"), to deal

import javax.servlet.ServletException;

import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.Extension;
import hudson.Util;
import hudson.model.Item;
Expand Down Expand Up @@ -68,15 +69,21 @@ public ConfigFilesManagement() {
}

/**
* The global configuration actions are exclusive of Jenkins administer.
* The global configuration actions are exclusive to Overall/Manage permission.
* @return The target.
*/
@Override
public Object getTarget() {
checkPermission(Jenkins.ADMINISTER);
checkPermission(Jenkins.MANAGE);
return this;
}


@NonNull
@Override
public Permission getRequiredPermission() {
return Jenkins.MANAGE;
}

/**
* @see hudson.model.Action#getDisplayName()
*/
Expand Down Expand Up @@ -221,7 +228,7 @@ public void doAddConfig(StaplerRequest req, StaplerResponse rsp, @QueryParameter

if (error != null) {
req.setAttribute("error", error);
checkPermission(Jenkins.ADMINISTER);
checkPermission(Jenkins.MANAGE);
req.setAttribute("providers", ConfigProvider.all());
req.setAttribute("configId", configId);
req.getView(this, JELLY_RESOURCES_PATH + "selectprovider.jelly").forward(req, rsp);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ public ListBoxModel doFillCredentialsIdItems(

StandardListBoxModel result = new StandardListBoxModel();
if (item == null) {
if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
if (!Jenkins.get().hasPermission(Jenkins.MANAGE)) {
return result.includeCurrentValue(credentialsId);
}
return result
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ public String getDisplayName() {
}

public ListBoxModel doFillSettingsConfigIdItems(@AncestorInPath ItemGroup context, @AncestorInPath Item project, @QueryParameter String settingsConfigId) {
Permission permToCheck = project == null ? Jenkins.ADMINISTER : Item.EXTENDED_READ;
Permission permToCheck = project == null ? Jenkins.MANAGE : Item.EXTENDED_READ;
AccessControlled contextToCheck = project == null ? Jenkins.get() : project;

ListBoxModel items = new ListBoxModel();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@ public String getDisplayName() {
}

public ListBoxModel doFillSettingsConfigIdItems(@AncestorInPath ItemGroup context, @AncestorInPath Item project, @QueryParameter String settingsConfigId) {
Permission permToCheck = project == null ? Jenkins.ADMINISTER : Item.EXTENDED_READ;
Permission permToCheck = project == null ? Jenkins.MANAGE : Item.EXTENDED_READ;
AccessControlled contextToCheck = project == null ? Jenkins.get() : project;

ListBoxModel items = new ListBoxModel();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,10 @@ public Descriptor<ServerCredentialMapping> getDescriptor() {
public static class DescriptorImpl extends Descriptor<ServerCredentialMapping> {

public ListBoxModel doFillCredentialsIdItems(@AncestorInPath ItemGroup context, @AncestorInPath Item projectOrFolder, @QueryParameter String serverId) {
List<Permission> permsToCheck = projectOrFolder == null ? Arrays.asList(Jenkins.ADMINISTER) : Arrays.asList(Item.EXTENDED_READ, CredentialsProvider.USE_ITEM);
List<Permission> permsToCheck = projectOrFolder == null ? Arrays.asList(Jenkins.MANAGE) : Arrays.asList(Item.EXTENDED_READ, CredentialsProvider.USE_ITEM);
AccessControlled contextToCheck = projectOrFolder == null ? Jenkins.get() : projectOrFolder;

// If we're on the global page and we don't have administer permission or if we're in a project or folder
// If we're on the global page and we don't have Overall/Manage permission or if we're in a project or folder
// and we don't have permission to use credentials and extended read in the item
if (permsToCheck.stream().anyMatch( per -> !contextToCheck.hasPermission(per))) {
return new StandardUsernameListBoxModel().includeCurrentValue(serverId);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,10 @@ public Descriptor<PropertiesCredentialMapping> getDescriptor() {
public static class DescriptorImpl extends Descriptor<PropertiesCredentialMapping> {

public ListBoxModel doFillCredentialsIdItems(@AncestorInPath ItemGroup context, @AncestorInPath Item projectOrFolder, @QueryParameter String propertyKey) {
Permission permToCheck = projectOrFolder == null ? Jenkins.ADMINISTER : Item.CONFIGURE;
Permission permToCheck = projectOrFolder == null ? Jenkins.MANAGE : Item.CONFIGURE;
AccessControlled contextToCheck = projectOrFolder == null ? Jenkins.get() : projectOrFolder;

// If we're on the global page and we don't have administer permission or if we're in a project or folder
// If we're on the global page and we don't have Overall/Manage permission or if we're in a project or folder
// and we don't have configure permission there
if (!contextToCheck.hasPermission(permToCheck)) {
return new StandardUsernameListBoxModel().includeCurrentValue(propertyKey);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ THE SOFTWARE.
<?jelly escape-by-default='true'?>
<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define"
xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:cf="/lib/configfiles">
<l:layout permission="${app.ADMINISTER}" norefresh="true">
<l:layout permission="${app.MANAGE}" norefresh="true">
<st:include page="/org/jenkinsci/plugins/configfiles/ConfigFilesUI/configfiles.jelly" />
</l:layout>
</j:jelly>

0 comments on commit ce072ff

Please sign in to comment.