From 20340e1842317f2564abd59d15eb2c958892f526 Mon Sep 17 00:00:00 2001 From: Jesse Glick Date: Tue, 20 Jan 2015 13:44:08 -0500 Subject: [PATCH] Restricting postBack access to users with ADMINISTER. --- core/src/main/java/hudson/model/DownloadService.java | 6 ++---- core/src/main/java/hudson/model/UpdateSite.java | 4 +--- .../main/java/jenkins/model/DownloadSettings.java | 12 ++++++++++++ .../UpdateCenter/PageDecoratorImpl/footer.jelly | 4 ++-- 4 files changed, 17 insertions(+), 9 deletions(-) diff --git a/core/src/main/java/hudson/model/DownloadService.java b/core/src/main/java/hudson/model/DownloadService.java index 0d35c01538..a9e5354e6c 100644 --- a/core/src/main/java/hudson/model/DownloadService.java +++ b/core/src/main/java/hudson/model/DownloadService.java @@ -67,7 +67,7 @@ public class DownloadService extends PageDecorator { * Builds up an HTML fragment that starts all the download jobs. */ public String generateFragment() { - if (!DownloadSettings.get().isUseBrowser()) { + if (!DownloadSettings.usePostBack()) { return ""; } if (neverUpdate) return ""; @@ -308,9 +308,7 @@ public class DownloadService extends PageDecorator { * This is where the browser sends us the data. */ public void doPostBack(StaplerRequest req, StaplerResponse rsp) throws IOException { - if (!DownloadSettings.get().isUseBrowser()) { - throw new IOException("not allowed"); - } + DownloadSettings.checkPostBackAccess(); long dataTimestamp = System.currentTimeMillis(); due = dataTimestamp+getInterval(); // success or fail, don't try too often diff --git a/core/src/main/java/hudson/model/UpdateSite.java b/core/src/main/java/hudson/model/UpdateSite.java index 006b8a003b..8d3d09c8b2 100644 --- a/core/src/main/java/hudson/model/UpdateSite.java +++ b/core/src/main/java/hudson/model/UpdateSite.java @@ -174,9 +174,7 @@ public class UpdateSite { * This is the endpoint that receives the update center data file from the browser. */ public FormValidation doPostBack(StaplerRequest req) throws IOException, GeneralSecurityException { - if (!DownloadSettings.get().isUseBrowser()) { - throw new IOException("not allowed"); - } + DownloadSettings.checkPostBackAccess(); return updateData(IOUtils.toString(req.getInputStream(),"UTF-8"), true); } diff --git a/core/src/main/java/jenkins/model/DownloadSettings.java b/core/src/main/java/jenkins/model/DownloadSettings.java index 387812b136..e16898ab86 100644 --- a/core/src/main/java/jenkins/model/DownloadSettings.java +++ b/core/src/main/java/jenkins/model/DownloadSettings.java @@ -34,6 +34,7 @@ import hudson.model.UpdateSite; import hudson.util.FormValidation; import java.io.IOException; import net.sf.json.JSONObject; +import org.acegisecurity.AccessDeniedException; import org.kohsuke.accmod.Restricted; import org.kohsuke.accmod.restrictions.NoExternalUse; import org.kohsuke.stapler.HttpResponse; @@ -75,6 +76,17 @@ import org.kohsuke.stapler.StaplerRequest; return GlobalConfigurationCategory.get(GlobalConfigurationCategory.Security.class); } + public static boolean usePostBack() { + return get().isUseBrowser() && Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER); + } + + public static void checkPostBackAccess() throws AccessDeniedException { + if (!get().isUseBrowser()) { + throw new AccessDeniedException("browser-based download disabled"); + } + Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); + } + @Extension public static final class DailyCheck extends AsyncPeriodicWork { public DailyCheck() { diff --git a/core/src/main/resources/hudson/model/UpdateCenter/PageDecoratorImpl/footer.jelly b/core/src/main/resources/hudson/model/UpdateCenter/PageDecoratorImpl/footer.jelly index 777f1192c7..684bc26bb0 100644 --- a/core/src/main/resources/hudson/model/UpdateCenter/PageDecoratorImpl/footer.jelly +++ b/core/src/main/resources/hudson/model/UpdateCenter/PageDecoratorImpl/footer.jelly @@ -31,8 +31,8 @@ THE SOFTWARE. --> - - + +