[JENKINS-28975] Added support for View permissions at the View level rather than only at global level #21
Conversation
| <!-- | ||
| - The MIT License | ||
| - | ||
| - Copyright (c) 2013, Oleg Nenashev, Synopsys Inc. |
There was a problem hiding this comment.
Imho even the slave file needs some rework
|
OK. I will update the license header and push the changes. |
|
@oleg-nenashev |
|
@oleg-nenashev |
| @@ -592,6 +599,10 @@ else if (type.equals(SLAVE)) { | |||
| groups.remove(PermissionGroup.get(SCM.class)); | |||
| groups.remove(PermissionGroup.get(Run.class)); | |||
| } | |||
| else if (type.equals(VIEW)) { | |||
| groups = new ArrayList<PermissionGroup>(); | |||
| groups.add(PermissionGroup.get(View.class)); | |||
There was a problem hiding this comment.
Blacklisting of groups above is made for a reason. If somebody adds a permission for view outside this group (e.g. MANAGE_OWNERSHIP.View), it won't appear in the table. For old plugins there is no way to add permissions to existing groups IIRC
There was a problem hiding this comment.
If I get all the PermissionGroups then removing other except the View.class but Credentials section is coming in table so to eliminate that section which is not having any importance created a new list with just View PermissionGroup.
There was a problem hiding this comment.
@oleg-nenashev
Shall I do it like the previous implementation for VIEW too as you said that it has been implemented for a reason.
Or else is this OK to add View.class only.
There was a problem hiding this comment.
Let's keep it as is by now
|
Generally looks good to me. Need to perform some testing |
|
@oleg-nenashev |
|
@oleg-nenashev |
|
I rarely do testing during the working week :( |
|
The current permission check approach does not work correctly for Views in Folders Plugin. Seems you may have to emulate a kind of getFullName() method for views. And same for user custom views, for which the current behavior seems to be may be a security risk (needs core code review). Also, I see the strange layout tabbing in Safari, which didn't use to happen before the patch (needs to be confirmed).
|
|
@oleg-nenashev |
|
@oleg-nenashev |
| return getACL(VIEW, getViewFullName(view), RoleType.View, view); | ||
| } | ||
|
|
||
| String getViewFullName(View view) { |
There was a problem hiding this comment.
This code will be invoked VERY frequently. It really makes sense to replace recursive call by a loop with StringBuilder
|
Ok. I will modify the according to your feedback. |
| return view.getViewName(); | ||
| } | ||
| else { | ||
| sb.append("/" + view.getViewName()); |
There was a problem hiding this comment.
The approach is not very safe in the case of slashes in the view name, which were allowed in old Jenkins versions, but it's a corner case we can ignore
There was a problem hiding this comment.
We are using slash to separate the view name from the parent name.
This functionality I have taken from the Jenkins core, referred some model classes how emulation of full name happening.
|
Hi @oleg-nenashev |
|
@pskumar448 |
|
OK. @oleg-nenashev |
|
@oleg-nenashev |
|
Hi guys, could you help me? |
|
@remm Responded in the ticket |
oleg-nenashev
changed the title
|
|
||
| String getViewFullName(View view) { | ||
| StringBuilder sb = new StringBuilder(); | ||
| sb.append(view.getOwnerItemGroup().getFullName()); |
There was a problem hiding this comment.
View names are ambiguous this way. When you use the nested views plugin There could be 2 views with that name
Assume you have a folder and in this you have 2 views:
view1
view2
view2 is a nested view view, that contains also a view with name view1
folder/view1
/view2/view1
For both views the above code would just return folder, which makes it unclear which is meant.
Added possibility to setup permissions at view level rather giving permissions at global level.
This will hide the View from top tab bar, but if the user try to access via direct URL it will be accessible.
New feature PR (jenkinsci/jenkins#2499) to has been submitted to Jenkins Core to handle direct URL authorization of the user on view.
https://issues.jenkins-ci.org/browse/JENKINS-28975