Skip to content

Commit

Permalink
[FIXED JENKINS-16682] getItem(name) can throw an AccessDeniedException
Browse files Browse the repository at this point in the history 
so iterate on itemGroup.getItems and filter by job names
  • Loading branch information
@ndeloof
ndeloof committed Feb 7, 2013
1 parent cb07748 commit 629b42a
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions core/src/main/java/hudson/model/ListView.java
View file
Expand Up @@ -154,11 +154,11 @@ public List<TopLevelItem> getItems() {

Boolean statusFilter = this.statusFilter; // capture the value to isolate us from concurrent update
List<TopLevelItem> items = new ArrayList<TopLevelItem>(names.size());
for (String n : names) {
TopLevelItem item = getOwnerItemGroup().getItem(n);
for (TopLevelItem item : getOwnerItemGroup().getItems()) {
if (!names.contains(item.getName())) continue;
// Add if no status filter or filter matches enabled/disabled status:
if(item!=null && (statusFilter == null || !(item instanceof AbstractProject)
|| ((AbstractProject)item).isDisabled() ^ statusFilter))
if(statusFilter == null || !(item instanceof AbstractProject)
|| ((AbstractProject)item).isDisabled() ^ statusFilter)
items.add(item);
}

Expand Down

2 comments on commit 629b42a

@jglick
Copy link
Member

@jglick jglick commented on 629b42a Feb 7, 2013

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming it is safe for this code to be run by an anonymous user to begin with, is there some reason you did not simply use ACL.impersonate(ACL.system) with a finally-block?

@ndeloof
Copy link
Contributor Author

@ndeloof ndeloof commented on 629b42a Feb 7, 2013

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would then reveal job build number and status to anonymous users. DISCOVER suggest we let anonymous know something exists with the requested name but don't give any other information until logged in.

Please sign in to comment.