Restricting postBack access to users with ADMINISTER.

20340e18 · Jesse Glick · c1adb4e6 · 20340e18 · 20340e18 · 20340e18
4 changed file
--- a/core/src/main/java/hudson/model/DownloadService.java
+++ b/core/src/main/java/hudson/model/DownloadService.java
@@ -67,7 +67,7 @@ public class DownloadService extends PageDecorator {
     * Builds up an HTML fragment that starts all the download jobs.
     */
    public String generateFragment() {
-        if (!DownloadSettings.get().isUseBrowser()) {
+        if (!DownloadSettings.usePostBack()) {
            return "";
        }
    	if (neverUpdate) return "";
@@ -308,9 +308,7 @@ public class DownloadService extends PageDecorator {
         * This is where the browser sends us the data. 
         */
        public void doPostBack(StaplerRequest req, StaplerResponse rsp) throws IOException {
-            if (!DownloadSettings.get().isUseBrowser()) {
+            DownloadSettings.checkPostBackAccess();
-                throw new IOException("not allowed");
-            }
            long dataTimestamp = System.currentTimeMillis();
            due = dataTimestamp+getInterval();  // success or fail, don't try too often

--- a/core/src/main/java/hudson/model/UpdateSite.java
+++ b/core/src/main/java/hudson/model/UpdateSite.java
@@ -174,9 +174,7 @@ public class UpdateSite {
     * This is the endpoint that receives the update center data file from the browser.
     */
    public FormValidation doPostBack(StaplerRequest req) throws IOException, GeneralSecurityException {
-        if (!DownloadSettings.get().isUseBrowser()) {
+        DownloadSettings.checkPostBackAccess();
-            throw new IOException("not allowed");
-        }
        return updateData(IOUtils.toString(req.getInputStream(),"UTF-8"), true);
    }

--- a/core/src/main/java/jenkins/model/DownloadSettings.java
+++ b/core/src/main/java/jenkins/model/DownloadSettings.java
@@ -34,6 +34,7 @@ import hudson.model.UpdateSite;
 import hudson.util.FormValidation;
 import java.io.IOException;
 import net.sf.json.JSONObject;
+import org.acegisecurity.AccessDeniedException;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.HttpResponse;
@@ -75,6 +76,17 @@ import org.kohsuke.stapler.StaplerRequest;
        return GlobalConfigurationCategory.get(GlobalConfigurationCategory.Security.class);
    }
+    public static boolean usePostBack() {
+        return get().isUseBrowser() && Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER);
+    }
+    public static void checkPostBackAccess() throws AccessDeniedException {
+        if (!get().isUseBrowser()) {
+            throw new AccessDeniedException("browser-based download disabled");
+        }
+        Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
+    }
    @Extension public static final class DailyCheck extends AsyncPeriodicWork {
        public DailyCheck() {

--- a/core/src/main/resources/hudson/model/UpdateCenter/PageDecoratorImpl/footer.jelly
+++ b/core/src/main/resources/hudson/model/UpdateCenter/PageDecoratorImpl/footer.jelly
@@ -31,8 +31,8 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-  <j:invokeStatic var="ds" className="jenkins.model.DownloadSettings" method="get"/>
+  <j:invokeStatic var="enabled" className="jenkins.model.DownloadSettings" method="usePostBack"/>
-  <j:if test="${ds.useBrowser}">
+  <j:if test="${enabled}">
  <j:forEach var="site" items="${app.updateCenter.sites}">
    <j:if test="${site.due or forcedUpdateCheck}">
      <script>