Reputation: 53
Jenkins API: User.hasPermission always returns true
I'm developing my first plugin for Jenkins that will add some additional permissions to Jenkins' matrix based security authorization.
I'm developing the plugin in NetBeans 8.1. The plugin can build and deploy to Jenkins 1.625.3 and I can see my permission show up in the matrix table.
The plugin has a class that extends the RunListener<AbstractBuild> extension point. I override the setUpEnvironment method and in this method I'm trying to see if the user that caused the build has my new permissions.
Unfortunately, every time I call User.get(username).hasPermission(permission), the result is true. I've simplified the testing by creating two users:
- adminuser: has the Administer permission
- devuser: currently just have overall read and no other checkboxes checked.
If I put a debug break in my setUpEnvironment method, and add the following watch, the result is true:
User.get("devuser").hasPermission(hudson.model.Hudson.ADMINISTER)
Intuitively, I look at the code above and think hasPermission is based on the User returned by the get method. However, I'm starting to suspect that it doesn't matter that hasPermission is called on the user object, the security principle is some system user with uber access.
Can someone point me in the right direction?
Thanks!
Matrix Screenshot
Debug Watches
Upvotes: 2
Views: 1614
Answers (1)
Reputation: 7805
The problem with is that User.hasPermission(Permission p) calls ACL.hasPermission(Permission p) which in fact runs:
return hasPermission(Jenkins.getAuthentication(),p);
Therefore permissions are not checked for loaded User but for current User used to execute this code.
If you run below code from Script Console:
println instance.getAuthorizationStrategy().
hasPermission("devuser", hudson.model.Hudson.ADMINISTER)
println instance.getAuthorizationStrategy().getACL(User.get("devuser")).
hasPermission(User.get("devuser").impersonate(), hudson.model.Hudson.ADMINISTER)
println instance.getAuthorizationStrategy().getACL(User.get("devuser")).
hasPermission(User.get("devuser").impersonate(), hudson.model.Hudson.ADMINISTER)
println instance.getAuthorizationStrategy().getACL(User.get("devuser")).
hasPermission(hudson.model.Hudson.ADMINISTER)
println instance.getAuthorizationStrategy().getACL(User.current()).
hasPermission(hudson.model.Hudson.ADMINISTER)
it will return:
false
false
false
true
true
As a "workaround" try to obtain authorization strategy directly from Jenkins object and execute hasPermission(...) method from it:
def instance = Jenkins.getInstance()
instance.getAuthorizationStrategy().hasPermission("devuser", Jenkins.ADMINISTER)
Upvotes: 1
Related Questions
- How to restart Jenkins manually?
- Jenkins Role-Based Strategy for agent builds
- Jenkins user permissions wiped on restart?
- Jenkins “Keep this build forever” button is missing
- Jenkins (not admin) Users Password reset/Username change
- After installing Jenkins Role Strategy Plugin - all logins fail
- How to set 'UpdateCauses ' user permission on Jenkins
- Jenkins Git Plugin - stderr: plink: unknown option "-o"
- How can I determine which user triggered a promotion using the promoted builds plugin?