[JENKINS-28975] Added support for View permissions at the View level rather than only at global level #21
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -80,6 +80,7 @@ public class RoleBasedAuthorizationStrategy extends AuthorizationStrategy { | |
| public final static String GLOBAL = "globalRoles"; | ||
| public final static String PROJECT = "projectRoles"; | ||
| public final static String SLAVE = "slaveRoles"; | ||
| public final static String VIEW = "viewRoles"; | ||
| public final static String MACRO_ROLE = "roleMacros"; | ||
| public final static String MACRO_USER = "userMacros"; | ||
|
|
||
|
|
@@ -138,6 +139,23 @@ public ACL getACL(AbstractItem project) { | |
| public ACL getACL(Computer computer) { | ||
| return getACL(SLAVE, computer.getName(), RoleType.Slave, computer); | ||
| } | ||
|
|
||
| @Override | ||
| public ACL getACL(View view) { | ||
| return getACL(VIEW, getViewFullName(view), RoleType.View, view); | ||
| } | ||
|
|
||
| String getViewFullName(View view) { | ||
| StringBuilder sb = new StringBuilder(); | ||
| sb.append(view.getOwnerItemGroup().getFullName()); | ||
|
There was a problem hiding this comment. I'm not exactly sure what is going to happen for User private views here. Maybe it worth to create a couple of unit tests to address such cases. I can help with Role Strategy initialization framework for it There was a problem hiding this comment. Ok. I will try to understand how User private views works as a functionality. Do you have any information regarding the crucial functionality of the User private views in Jenkins. There was a problem hiding this comment. View names are ambiguous this way. When you use the nested views plugin There could be 2 views with that name For both views the above code would just return folder, which makes it unclear which is meant. |
||
| if(sb.length()==0) { | ||
| return view.getViewName(); | ||
| } | ||
| else { | ||
| sb.append("/" + view.getViewName()); | ||
|
There was a problem hiding this comment. The approach is not very safe in the case of slashes in the view name, which were allowed in old Jenkins versions, but it's a corner case we can ignore There was a problem hiding this comment. We are using slash to separate the view name from the parent name. |
||
| return sb.toString(); | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * Used by the container realm. | ||
|
|
@@ -449,7 +467,7 @@ public AuthorizationStrategy newInstance(StaplerRequest req, JSONObject formData | |
|
|
||
| // If the form contains data, it means the method has been called by plugin | ||
| // specifics forms, and we need to handle it. | ||
| if (formData.has(GLOBAL) && formData.has(PROJECT) && formData.has(SLAVE) && formData.has(VIEW) && oldStrategy instanceof RoleBasedAuthorizationStrategy) { | ||
| strategy = new RoleBasedAuthorizationStrategy(); | ||
|
|
||
| JSONObject globalRoles = formData.getJSONObject(GLOBAL); | ||
|
|
@@ -478,6 +496,7 @@ public AuthorizationStrategy newInstance(StaplerRequest req, JSONObject formData | |
|
|
||
| ReadRoles(formData, PROJECT, strategy, (RoleBasedAuthorizationStrategy)oldStrategy); | ||
| ReadRoles(formData, SLAVE, strategy, (RoleBasedAuthorizationStrategy)oldStrategy); | ||
| ReadRoles(formData, VIEW, strategy, (RoleBasedAuthorizationStrategy)oldStrategy); | ||
| } | ||
| // When called from Hudson Manage panel, but was already on a role-based strategy | ||
| else if(oldStrategy instanceof RoleBasedAuthorizationStrategy) { | ||
|
|
@@ -592,6 +611,10 @@ else if (type.equals(SLAVE)) { | |
| groups.remove(PermissionGroup.get(SCM.class)); | ||
| groups.remove(PermissionGroup.get(Run.class)); | ||
| } | ||
| else if (type.equals(VIEW)) { | ||
| groups = new ArrayList<PermissionGroup>(); | ||
| groups.add(PermissionGroup.get(View.class)); | ||
|
There was a problem hiding this comment. Blacklisting of groups above is made for a reason. If somebody adds a permission for view outside this group (e.g. MANAGE_OWNERSHIP.View), it won't appear in the table. For old plugins there is no way to add permissions to existing groups IIRC There was a problem hiding this comment. If I get all the PermissionGroups then removing other except the View.class but Credentials section is coming in table so to eliminate that section which is not having any importance created a new list with just View PermissionGroup. There was a problem hiding this comment. @oleg-nenashev There was a problem hiding this comment. Let's keep it as is by now |
||
| } | ||
| else { | ||
| groups = null; | ||
| } | ||
|
|
@@ -611,6 +634,9 @@ else if(type.equals(PROJECT)) { | |
| else if (type.equals(SLAVE)) { | ||
| return p!=Computer.CREATE && p.getEnabled(); | ||
| } | ||
| else if (type.equals(VIEW)) { | ||
| return p!=View.CREATE && p.getEnabled(); | ||
| } | ||
| else { | ||
| return false; | ||
| } | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,145 @@ | ||
| <!-- | ||
| - The MIT License | ||
| - | ||
| - Copyright (c) 2016, Suresh. | ||
| - | ||
| - Original file: manage-project-roles.jelly | ||
| - Thomas Maurel & Romain Seguy, Manufacture Française des Pneumatiques Michelin | ||
| - | ||
| - Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| - of this software and associated documentation files (the "Software"), to deal | ||
| - in the Software without restriction, including without limitation the rights | ||
| - to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| - copies of the Software, and to permit persons to whom the Software is | ||
| - furnished to do so, subject to the following conditions: | ||
| - | ||
| - The above copyright notice and this permission notice shall be included in | ||
| - all copies or substantial portions of the Software. | ||
| - | ||
| - THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| - IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| - FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| - AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| - LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| - OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN | ||
| - THE SOFTWARE. | ||
| --> | ||
| <?jelly escape-by-default='true'?> | ||
| <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" | ||
| xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:local="local"> | ||
|
|
||
| <j:set var="id" value="${h.generateId()}"/> | ||
|
|
||
| <table id="viewRoles" class="center-align global-matrix-authorization-strategy-table" name="data"> | ||
|
|
||
| <!-- The first row will show grouping --> | ||
| <tr class="group-row"> | ||
| <td class="start" /> | ||
| <td class="pane-header blank"> | ||
| ${%User/group} | ||
| </td> | ||
| <j:forEach var="role" items="${viewGrantedRoles}"> | ||
| <td class="pane-header"> | ||
| ${role.key.name} | ||
| </td> | ||
| </j:forEach> | ||
| <td class="stop" /> | ||
| </tr> | ||
| <j:set var="nbAssignedViewRoles" value="${0}" /> | ||
| <j:forEach var="sid" items="${viewSIDs}"> | ||
| <tr name="[${sid}]" class="permission-row"> | ||
| <local:userRow sid="${sid}" title="${sid}" global="${false}" type="${it.strategy.VIEW}"/> | ||
| </tr> | ||
| <j:set var="nbAssignedViewRoles" value="${nbAssignedViewRoles+1}" /> | ||
| </j:forEach> | ||
| <tr name="anonymous"> | ||
| <local:userRow sid="anonymous" title="${%Anonymous}" global="${false}" type="${it.strategy.VIEW}"/> | ||
| </tr> | ||
| <tr id="${id}" style="display:none" class="permission-row"> | ||
| <local:userRow global="${false}" type="${it.strategy.VIEW}"/> | ||
| </tr> | ||
| <!-- The last row is used to repeat the header (if more than 19+1 lines) --> | ||
| <j:if test="${nbAssignedViewRoles ge 19}"> | ||
| <tr class="group-row"> | ||
| <td class="start" /> | ||
| <td class="pane-header blank"> | ||
| ${%User/group} | ||
| </td> | ||
| <j:forEach var="role" items="${viewGrantedRoles}"> | ||
| <td class="pane-header"> | ||
| ${role.key.name} | ||
| </td> | ||
| </j:forEach> | ||
| <td class="stop" /> | ||
| </tr> | ||
| </j:if> | ||
| </table> | ||
|
|
||
| <br /><br /> | ||
| <f:entry title="${%User/group to add}" help="${rootURL}/plugin/role-strategy/help/help-user-group-add.html"> | ||
| <f:textbox type="text" id="${id}text" /> | ||
| </f:entry> | ||
| <f:entry> | ||
| <input type="button" value="${%Add}" id="${id}button"/> | ||
| </f:entry> | ||
|
|
||
| <script> | ||
| var tableHighlighter; | ||
| (function() { | ||
| <!-- place master outside the DOM tree so that it won't creep into the submitted form --> | ||
| var master = document.getElementById('${id}'); | ||
| var table = master.parentNode; | ||
| table.removeChild(master); | ||
|
|
||
| makeButton($$('${id}button'), function (e) { | ||
| <!-- when 'add' is clicked... --> | ||
| var name = $$('${id}text').value; | ||
| if(name=="") { | ||
| alert("Please enter a role name"); | ||
| return; | ||
| } | ||
| if(findElementsBySelector(table,"TR").find(function(n){return n.getAttribute("name")=='['+name+']';})!=null) { | ||
| alert("Entry for '"+name+"' already exists"); | ||
| return; | ||
| } | ||
|
|
||
| if(document.importNode!=null) | ||
| copy = document.importNode(master,true); | ||
| else | ||
| copy = master.cloneNode(true); <!-- for IE --> | ||
| copy.removeAttribute("id"); | ||
| copy.removeAttribute("style"); | ||
| copy.childNodes[1].innerHTML = name; | ||
| copy.setAttribute("name",'['+name+']'); | ||
| <j:if test="${nbAssignedViewRoles lt 19}"> | ||
| table.appendChild(copy); | ||
| </j:if> | ||
| <j:if test="${nbAssignedViewRoles ge 19}"> | ||
| table.insertBefore(copy,table.childNodes[table.rows.length-1]); | ||
| </j:if> | ||
| tableHighlighter.scan(copy); | ||
| Behaviour.applySubtree(findAncestor(table,"TABLE")); | ||
| }); | ||
| })(); | ||
|
|
||
| Event.observe(window, 'load', function(event) { | ||
| tableHighlighter = new TableHighlighter('viewRoles', 0, 1); | ||
| }); | ||
|
|
||
| var deleteAssignedViewRole = function(e) { | ||
| e.onclick = function() { | ||
| var tr = findAncestor(this,"TR"); | ||
| tr.parentNode.removeChild(tr); | ||
| return false; | ||
| } | ||
| e = null; <!-- avoid memory leak --> | ||
| } | ||
| Behaviour.register({ | ||
| "#viewRoles TD.start A" : deleteAssignedViewRole, | ||
| "#viewRoles TD.stop A" : deleteAssignedViewRole, | ||
| "#viewRoles TR.permission-row" : function(e) { | ||
| FormChecker.delayedCheck("${descriptorPath}/checkName?value="+encodeURIComponent(e.getAttribute("name")),"GET",e.childNodes[1]); | ||
| } | ||
| }); | ||
| </script> | ||
| </j:jelly> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code will be invoked VERY frequently. It really makes sense to replace recursive call by a loop with StringBuilder