Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge pull request #2269 from daniel-beck/JENKINS-34094
[FIX JENKINS-34094] Add access control
  • Loading branch information
daniel-beck committed Apr 18, 2016
2 parents 1891dee + 6f8540c commit f593885
Show file tree
Hide file tree
Showing 7 changed files with 23 additions and 2 deletions.
4 changes: 4 additions & 0 deletions core/src/main/java/hudson/PluginManager.java
Expand Up @@ -993,6 +993,7 @@ public void stop() {
*/
@Restricted(DoNotUse.class) // WebOnly
public HttpResponse doPlugins() {
Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
JSONArray response = new JSONArray();
Map<String,JSONObject> allPlugins = new HashMap<>();
for (PluginWrapper plugin : plugins) {
Expand Down Expand Up @@ -1058,6 +1059,7 @@ public HttpResponse doUpdateSources(StaplerRequest req) throws IOException {
* Performs the installation of the plugins.
*/
public void doInstall(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
Set<String> plugins = new LinkedHashSet<>();

Enumeration<String> en = req.getParameterNames();
Expand Down Expand Up @@ -1086,6 +1088,7 @@ public void doInstall(StaplerRequest req, StaplerResponse rsp) throws IOExceptio
@RequirePOST
@Restricted(DoNotUse.class) // WebOnly
public HttpResponse doInstallPlugins(StaplerRequest req) throws IOException {
Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
String payload = IOUtils.toString(req.getInputStream(), req.getCharacterEncoding());
JSONObject request = JSONObject.fromObject(payload);
JSONArray pluginListJSON = request.getJSONArray("plugins");
Expand Down Expand Up @@ -1118,6 +1121,7 @@ public HttpResponse doInstallPlugins(StaplerRequest req) throws IOException {
* @return The install job list.
* @since FIXME
*/
@Restricted(NoExternalUse.class)
public List<Future<UpdateCenter.UpdateCenterJob>> install(@Nonnull Collection<String> plugins, boolean dynamicLoad) {
return install(plugins, dynamicLoad, null);
}
Expand Down
2 changes: 2 additions & 0 deletions core/src/main/java/hudson/PluginWrapper.java
Expand Up @@ -656,6 +656,7 @@ public HttpResponse doMakeDisabled() throws IOException {
@RequirePOST
@Deprecated
public HttpResponse doPin() throws IOException {
Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
// See https://groups.google.com/d/msg/jenkinsci-dev/kRobm-cxFw8/6V66uhibAwAJ
LOGGER.log(WARNING, "Call to pin plugin has been ignored. Plugin name: " + shortName);
return HttpResponses.ok();
Expand All @@ -664,6 +665,7 @@ public HttpResponse doPin() throws IOException {
@RequirePOST
@Deprecated
public HttpResponse doUnpin() throws IOException {
Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
// See https://groups.google.com/d/msg/jenkinsci-dev/kRobm-cxFw8/6V66uhibAwAJ
LOGGER.log(WARNING, "Call to unpin plugin has been ignored. Plugin name: " + shortName);
return HttpResponses.ok();
Expand Down
4 changes: 4 additions & 0 deletions core/src/main/java/hudson/model/UpdateCenter.java
Expand Up @@ -290,6 +290,7 @@ public InstallationJob getJob(Plugin plugin) {
*/
@Restricted(DoNotUse.class)
public HttpResponse doConnectionStatus(StaplerRequest request) {
Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
try {
String siteId = request.getParameter("siteId");
if (siteId == null) {
Expand Down Expand Up @@ -338,6 +339,7 @@ public HttpResponse doConnectionStatus(StaplerRequest request) {
*/
@Restricted(DoNotUse.class) // WebOnly
public HttpResponse doIncompleteInstallStatus() {
Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
try {
Map<String,String> jobs = InstallUtil.getPersistedInstallStatus();
if(jobs == null) {
Expand All @@ -354,6 +356,7 @@ public HttpResponse doIncompleteInstallStatus() {
* us to support install resume if Jenkins is restarted while plugins are
* being installed.
*/
@Restricted(NoExternalUse.class)
public synchronized void persistInstallStatus() {
List<UpdateCenterJob> jobs = getJobs();

Expand Down Expand Up @@ -386,6 +389,7 @@ public synchronized void persistInstallStatus() {
*/
@Restricted(DoNotUse.class)
public HttpResponse doInstallStatus(StaplerRequest request) {
Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
try {
String correlationId = request.getParameter("correlationId");
Map<String,Object> response = new HashMap<>();
Expand Down
1 change: 1 addition & 0 deletions core/src/main/java/hudson/model/UpdateSite.java
Expand Up @@ -840,6 +840,7 @@ public Future<UpdateCenterJob> deploy(boolean dynamicLoad) {
* See {@link UpdateCenter#isRestartRequiredForCompletion()}
* @param correlationId A correlation ID to be set on the job.
*/
@Restricted(NoExternalUse.class)
public Future<UpdateCenterJob> deploy(boolean dynamicLoad, @CheckForNull UUID correlationId) {
Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
UpdateCenter uc = Jenkins.getInstance().getUpdateCenter();
Expand Down
1 change: 1 addition & 0 deletions core/src/main/java/hudson/model/View.java
Expand Up @@ -1045,6 +1045,7 @@ public FormValidation doCheckJobName(@QueryParameter String value) {
*/
@Restricted(DoNotUse.class)
public Categories doItemCategories(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
getOwner().checkPermission(Item.CREATE);
Categories categories = new Categories();
int order = 0;
for (TopLevelItemDescriptor descriptor : DescriptorVisibilityFilter.apply(getOwnerItemGroup(), Items.all(Jenkins.getAuthentication(), getOwnerItemGroup()))) {
Expand Down
1 change: 1 addition & 0 deletions core/src/main/java/hudson/model/ViewDescriptor.java
Expand Up @@ -79,6 +79,7 @@ protected ViewDescriptor() {
*/
@Restricted(DoNotUse.class)
public AutoCompletionCandidates doAutoCompleteCopyNewItemFrom(@QueryParameter final String value, @AncestorInPath ItemGroup<?> container) {
// TODO do we need a permissions check here?
AutoCompletionCandidates candidates = AutoCompletionCandidates.ofJobNames(TopLevelItem.class, value, container);
if (container instanceof DirectlyModifiableTopLevelItemGroup) {
DirectlyModifiableTopLevelItemGroup modifiableContainer = (DirectlyModifiableTopLevelItemGroup) container;
Expand Down
12 changes: 10 additions & 2 deletions core/src/main/java/jenkins/model/Jenkins.java
Expand Up @@ -4256,14 +4256,20 @@ public List<ManagementLink> getManagementLinks() {

/**
* If set, a currently active setup wizard - e.g. installation
*
* @since 2.0
*/
@Restricted(NoExternalUse.class)
public SetupWizard getSetupWizard() {
return setupWizard;
}

/**
* Sets the setup wizard
*
* @since 2.0
*/
@Restricted(NoExternalUse.class)
public void setSetupWizard(SetupWizard setupWizard) {
this.setupWizard = setupWizard;
}
Expand Down Expand Up @@ -4594,8 +4600,9 @@ private static void computeVersion(ServletContext context) {

/**
* The version number before it is "computed" (by a call to computeVersion()).
* @since FIXME
* @since 2.0
*/
@Restricted(NoExternalUse.class)
public static final String UNCOMPUTED_VERSION = "?";

/**
Expand All @@ -4617,8 +4624,9 @@ private static void computeVersion(ServletContext context) {
* <p>
* Parses the version into {@link VersionNumber}, or null if it's not parseable as a version number
* (such as when Jenkins is run with "mvn hudson-dev:run")
* @since FIXME
* @since 2.0
*/
@Restricted(NoExternalUse.class)
public @CheckForNull static VersionNumber getStoredVersion() {
return toVersion(Jenkins.getActiveInstance().version);
}
Expand Down

0 comments on commit f593885

Please sign in to comment.