Refine search
/** * This version is so that the 'hasPermission' can degrade gracefully * if "it" is not an {@link AccessControlled} object. */ public static boolean hasPermission(Object object, Permission permission) throws IOException, ServletException { if (permission == null) return true; if (object instanceof AccessControlled) return ((AccessControlled)object).hasPermission(permission); else { List<Ancestor> ancs = Stapler.getCurrentRequest().getAncestors(); for(Ancestor anc : Iterators.reverse(ancs)) { Object o = anc.getObject(); if (o instanceof AccessControlled) { return ((AccessControlled)o).hasPermission(permission); } } return Jenkins.getInstance().hasPermission(permission); } }
public synchronized TopLevelItem createProject( TopLevelItemDescriptor type, String name, boolean notify ) throws IOException { acl.checkPermission(Item.CREATE); type.checkApplicableIn(parent); acl.getACL().checkCreatePermission(parent, type); Jenkins.getInstance().getProjectNamingStrategy().checkName(name); Items.verifyItemDoesNotAlreadyExist(parent, name, null); TopLevelItem item = type.newInstance(parent, name); item.onCreatedFromScratch(); item.save(); add(item); Jenkins.getInstance().rebuildDependencyGraphAsync(); if (notify) ItemListener.fireOnCreated(item); return item; }
acl.checkPermission(Item.CREATE); Jenkins.checkGoodName(name); name = name.trim(); if(parent.getItem(name)!=null) Item src = Jenkins.getInstance().getItem(from, parent); if(src==null) { if(Util.fixEmpty(from)==null) acl.getACL().checkCreatePermission(parent, descriptor);
public FormValidation doCheckCredentialsId(@AncestorInPath ItemGroup context, @QueryParameter String value) { AccessControlled _context = (context instanceof AccessControlled ? (AccessControlled) context : Jenkins.getInstance()); if (_context == null || !_context.hasPermission(Computer.CONFIGURE)) { return FormValidation.ok(); // no need to alarm a user that cannot configure } for (ListBoxModel.Option o : CredentialsProvider.listCredentials(StandardUsernameCredentials.class, context, ACL.SYSTEM, Collections.<DomainRequirement>singletonList(SSHLauncher.SSH_SCHEME), SSHAuthenticator.matcher(Connection.class))) { if (StringUtils.equals(value, o.value)) { return FormValidation.ok(); } } return FormValidation.error(Messages.SSHLauncher_SelectedCredentialsMissing()); }
/** * Returns all the registered {@link TopLevelItemDescriptor}s that the specified security principal is allowed to * create within the specified item group. * * @since 1.607 */ public static List<TopLevelItemDescriptor> all(Authentication a, ItemGroup c) { List<TopLevelItemDescriptor> result = new ArrayList<TopLevelItemDescriptor>(); ACL acl; if (c instanceof AccessControlled) { acl = ((AccessControlled) c).getACL(); } else { // fall back to root acl = Jenkins.getInstance().getACL(); } for (TopLevelItemDescriptor d: all()) { if (acl.hasCreatePermission(a, c, d) && d.isApplicableIn(c)) { result.add(d); } } return result; }
/** * Runs the validation code. */ public final void process() throws IOException, ServletException { if(permission!=null) try { if(subject==null) throw new AccessDeniedException("No subject"); subject.checkPermission(permission); } catch (AccessDeniedException e) { // if the user has hudson-wide admin permission, all checks are allowed // this is to protect Hudson administrator from broken ACL/SecurityRealm implementation/configuration. if(!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) throw e; } check(); }
private static void checkPermissionForValidate() { AccessControlled subject = Stapler.getCurrentRequest().findAncestorObject(AbstractProject.class); if (subject == null) Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); else subject.checkPermission(Item.CONFIGURE); }
public ListBoxModel doFillCredentialsIdItems(@AncestorInPath ItemGroup context, @QueryParameter String host, @QueryParameter String port, @QueryParameter String credentialsId) { AccessControlled _context = (context instanceof AccessControlled ? (AccessControlled) context : Jenkins.getInstance()); if (_context == null || !_context.hasPermission(Computer.CONFIGURE)) { return new StandardUsernameListBoxModel() .includeCurrentValue(credentialsId); } try { int portValue = Integer.parseInt(port); return new StandardUsernameListBoxModel() .includeMatchingAs( ACL.SYSTEM, Jenkins.getActiveInstance(), StandardUsernameCredentials.class, Collections.<DomainRequirement>singletonList( new HostnamePortRequirement(host, portValue) ), SSHAuthenticator.matcher(Connection.class)) .includeCurrentValue(credentialsId); // always add the current value last in case already present } catch (NumberFormatException ex) { return new StandardUsernameListBoxModel() .includeCurrentValue(credentialsId); } }
/** * {@inheritDoc} */ public @Nonnull ACL getACL() { AccessControlled eventItem = getAccessControlled(); if (eventItem != null) { return eventItem.getACL(); } else { // TODO: Is the right thing to do? return Jenkins.getInstance().getAuthorizationStrategy().getRootACL(); } }
public ListBoxModel doFillCredentialsIdItems(@AncestorInPath ItemGroup context, @QueryParameter String serverId) { AccessControlled _context = (context instanceof AccessControlled ? (AccessControlled) context : Jenkins.getActiveInstance()); if (_context == null || !_context.hasPermission(Item.CONFIGURE)) { return new StandardUsernameListBoxModel().includeCurrentValue(serverId); } List<DomainRequirement> domainRequirements = Collections.emptyList(); if (StringUtils.isNotBlank(serverId)) { domainRequirements = Collections.<DomainRequirement> singletonList(new MavenServerIdRequirement(serverId)); } // @formatter:off return new StandardUsernameListBoxModel().includeAs( context instanceof Queue.Task ? Tasks.getDefaultAuthenticationOf((Queue.Task)context) : ACL.SYSTEM, context, StandardUsernameCredentials.class, domainRequirements ) .includeCurrentValue(serverId); // @formatter:on }
/** * Something we can use to check abort and read permissions. * Normally this will be a {@link Run}. * However if things are badly broken, for example if the build has been deleted, * then as a fallback we use the Jenkins root. * This allows an administrator to clean up dead queue items and executor cells. * TODO make {@link FlowExecutionOwner} implement {@link AccessControlled} * so that an implementation could fall back to checking {@link Job} permission. */ @Override public ACL getACL() { try { if (!context.isReady()) { return Jenkins.getActiveInstance().getACL(); } FlowExecution exec = context.get(FlowExecution.class); if (exec == null) { return Jenkins.getActiveInstance().getACL(); } Queue.Executable executable = exec.getOwner().getExecutable(); if (executable instanceof AccessControlled) { return ((AccessControlled) executable).getACL(); } else { return Jenkins.getActiveInstance().getACL(); } } catch (Exception x) { LOGGER.log(FINE, null, x); return Jenkins.getActiveInstance().getACL(); } }
private List<Item> checkPermissionsAndAddToList(List<Item> r, Item t) { if (t.task instanceof hudson.security.AccessControlled) { if (((hudson.security.AccessControlled)t.task).hasPermission(hudson.model.Item.READ) || ((hudson.security.AccessControlled) t.task).hasPermission(hudson.security.Permission.READ)) { r.add(t); } } return r; }
/** * Action when 'restore' button is pressed: Restore deleted project. * * @param req * Incoming StaplerRequest * @param rsp * Outgoing StaplerResponse * @throws IOException * If something goes wrong */ public final void doRestore(StaplerRequest req, StaplerResponse rsp) throws IOException { getAccessControlledObject().checkPermission(Item.CONFIGURE); final String deletedName = req.getParameter("name"); final String newName = deletedName.split("_deleted_")[0]; final XmlFile configXml = getLastAvailableConfigXml(deletedName); final InputStream is = new ByteArrayInputStream( configXml.asString().getBytes("UTF-8")); final String calculatedNewName = findNewName(newName); final TopLevelItem project = getJenkins() .createProjectFromXML(calculatedNewName, is); // TODO: Casting here should be removed. ((FileHistoryDao) getHistoryDao()).copyHistoryAndDelete(deletedName, calculatedNewName); rsp.sendRedirect(getJenkins().getRootUrl() + project.getUrl()); }
/** * Called by {@link #doConfirmRename} and {@code rename.jelly} to validate renames. * @return {@link FormValidation#ok} if this item can be renamed as specified, otherwise * {@link FormValidation#error} with a message explaining the problem. */ @Restricted(NoExternalUse.class) public @Nonnull FormValidation doCheckNewName(@QueryParameter String newName) { // TODO: Create an Item.RENAME permission to use here, see JENKINS-18649. if (!hasPermission(Item.CONFIGURE)) { if (parent instanceof AccessControlled) { ((AccessControlled)parent).checkPermission(Item.CREATE); } checkPermission(Item.DELETE); } newName = newName == null ? null : newName.trim(); try { Jenkins.checkGoodName(newName); assert newName != null; // Would have thrown Failure if (newName.equals(name)) { return FormValidation.warning(Messages.AbstractItem_NewNameUnchanged()); } Jenkins.get().getProjectNamingStrategy().checkName(newName); checkIfNameIsUsed(newName); checkRename(newName); } catch (Failure e) { return FormValidation.error(e.getMessage()); } return FormValidation.ok(); }
public static void checkPermission(AccessControlled object, Permission permission) throws IOException, ServletException { if (permission != null) { object.checkPermission(permission); } }
/** * Convenient short-cut for {@code getACL().hasPermission(a, permission)} * @since 2.92 */ default boolean hasPermission(@Nonnull Authentication a, @Nonnull Permission permission) { if (a == ACL.SYSTEM) { return true; } return getACL().hasPermission(a, permission); }
public FormValidation doCheckCredentialsId(@AncestorInPath ItemGroup context, @QueryParameter String value) { AccessControlled _context = (context instanceof AccessControlled ? (AccessControlled) context : Jenkins.getInstance()); if (_context == null || !_context.hasPermission(Computer.CONFIGURE)) { return FormValidation.ok(); // no need to alarm a user that cannot configure } for (ListBoxModel.Option o : CredentialsProvider.listCredentials(StandardUsernameCredentials.class, context, ACL.SYSTEM, Collections.singletonList(SSHLauncher.SSH_SCHEME), SSHAuthenticator.matcher(Connection.class))) { if (StringUtils.equals(value, o.value)) { return FormValidation.ok(); } } return FormValidation.error(Messages.SSHLauncher_SelectedCredentialsMissing()); }
/** * Returns all the registered {@link TopLevelItemDescriptor}s that the specified security principal is allowed to * create within the specified item group. * * @since 1.607 */ public static List<TopLevelItemDescriptor> all(Authentication a, ItemGroup c) { List<TopLevelItemDescriptor> result = new ArrayList<TopLevelItemDescriptor>(); ACL acl; if (c instanceof AccessControlled) { acl = ((AccessControlled) c).getACL(); } else { // fall back to root acl = Jenkins.getInstance().getACL(); } for (TopLevelItemDescriptor d: all()) { if (acl.hasCreatePermission(a, c, d) && d.isApplicableIn(c)) { result.add(d); } } return result; }
acl.checkPermission(Item.CREATE); Jenkins.checkGoodName(name); name = name.trim(); if(parent.getItem(name)!=null) Item src = Jenkins.getInstance().getItem(from, parent); if(src==null) { if(Util.fixEmpty(from)==null) acl.getACL().checkCreatePermission(parent, descriptor);
/** * Runs the validation code. */ public final void process() throws IOException, ServletException { if(permission!=null) try { if(subject==null) throw new AccessDeniedException("No subject"); subject.checkPermission(permission); } catch (AccessDeniedException e) { // if the user has hudson-wide admin permission, all checks are allowed // this is to protect Hudson administrator from broken ACL/SecurityRealm implementation/configuration. if(!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) throw e; } check(); }