Restricting postBack access to users with ADMINISTER.

core/src/main/java/hudson/model/DownloadService.java

@@ -67,7 +67,7 @@ public class DownloadService extends PageDecorator {
      * Builds up an HTML fragment that starts all the download jobs.
      */
     public String generateFragment() {
-        if (!DownloadSettings.get().isUseBrowser()) {
+        if (!DownloadSettings.usePostBack()) {
             return "";
         }
     	if (neverUpdate) return "";
@@ -308,9 +308,7 @@ public class DownloadService extends PageDecorator {
          * This is where the browser sends us the data. 
          */
         public void doPostBack(StaplerRequest req, StaplerResponse rsp) throws IOException {
-            if (!DownloadSettings.get().isUseBrowser()) {
-                throw new IOException("not allowed");
-            }
+            DownloadSettings.checkPostBackAccess();
             long dataTimestamp = System.currentTimeMillis();
             due = dataTimestamp+getInterval();  // success or fail, don't try too often
 

core/src/main/java/hudson/model/UpdateSite.java

@@ -174,9 +174,7 @@ public class UpdateSite {
      * This is the endpoint that receives the update center data file from the browser.
      */
     public FormValidation doPostBack(StaplerRequest req) throws IOException, GeneralSecurityException {
-        if (!DownloadSettings.get().isUseBrowser()) {
-            throw new IOException("not allowed");
-        }
+        DownloadSettings.checkPostBackAccess();
         return updateData(IOUtils.toString(req.getInputStream(),"UTF-8"), true);
     }
 

core/src/main/java/jenkins/model/DownloadSettings.java

@@ -34,6 +34,7 @@ import hudson.model.UpdateSite;
 import hudson.util.FormValidation;
 import java.io.IOException;
 import net.sf.json.JSONObject;
+import org.acegisecurity.AccessDeniedException;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.HttpResponse;
@@ -75,6 +76,17 @@ import org.kohsuke.stapler.StaplerRequest;
         return GlobalConfigurationCategory.get(GlobalConfigurationCategory.Security.class);
     }
 
+    public static boolean usePostBack() {
+        return get().isUseBrowser() && Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER);
+    }
+
+    public static void checkPostBackAccess() throws AccessDeniedException {
+        if (!get().isUseBrowser()) {
+            throw new AccessDeniedException("browser-based download disabled");
+        }
+        Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
+    }
+
     @Extension public static final class DailyCheck extends AsyncPeriodicWork {
 
         public DailyCheck() {

core/src/main/resources/hudson/model/UpdateCenter/PageDecoratorImpl/footer.jelly

@@ -31,8 +31,8 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-  <j:invokeStatic var="ds" className="jenkins.model.DownloadSettings" method="get"/>
-  <j:if test="${ds.useBrowser}">
+  <j:invokeStatic var="enabled" className="jenkins.model.DownloadSettings" method="usePostBack"/>
+  <j:if test="${enabled}">
   <j:forEach var="site" items="${app.updateCenter.sites}">
     <j:if test="${site.due or forcedUpdateCheck}">
       <script>