implemented a mechanism to prevent unauthorized users from seeing views.

git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@2394 71c3de6d-444a-0410-be80-ed276b4c234a

implemented a mechanism to prevent unauthorized users from seeing views.
git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@2394 71c3de6d-444a-0410-be80-ed276b4c234a
6540f542 · kohsuke · e15c8de1 · 6540f542 · 6540f542 · 6540f542
4 changed file
--- a/core/src/main/java/hudson/Functions.java
+++ b/core/src/main/java/hudson/Functions.java
@@ -8,10 +8,12 @@ import hudson.model.Run;
 import hudson.model.Items;
 import org.kohsuke.stapler.Ancestor;
 import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.StaplerResponse;

 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
 import java.io.File;
 import java.io.IOException;
 import java.net.URI;
@@ -325,4 +327,11 @@ public class Functions {
    public static String encode(String s) {
        return Util.encode(s);
    }
+
+    public void adminCheck(StaplerRequest req, StaplerResponse rsp,boolean required) throws IOException, ServletException {
+        if(required && !Hudson.adminCheck(req,rsp)) {
+            // check failed
+            throw new ServletException("Unauthorized access");
+        }
+    }
 }
--- a/core/src/main/resources/hudson/model/Hudson/configure.jelly
+++ b/core/src/main/resources/hudson/model/Hudson/configure.jelly
@@ -2,7 +2,7 @@
  Config page
 -->
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:s="/lib/form">
-<l:layout norefresh="true">
+<l:layout norefresh="true" secured="true">
  <st:include page="sidepanel.jelly" />
  <l:main-panel xmlns:local="local">
    <s:form method="post" action="configSubmit">

--- a/core/src/main/resources/hudson/model/Job/configure.jelly
+++ b/core/src/main/resources/hudson/model/Job/configure.jelly
@@ -2,7 +2,7 @@
  Config page. derived class specific entries should go to configure-entries.jsp
 -->
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt">
-  <l:layout title="${it.displayName} Config" norefresh="true">
+  <l:layout title="${it.displayName} Config" norefresh="true" secured="true">
    <st:include page="sidepanel.jelly" />
    <l:main-panel>
      <f:form method="post" action="configSubmit">

--- a/core/src/main/resources/lib/layout/layout.jelly
+++ b/core/src/main/resources/lib/layout/layout.jelly
@@ -5,6 +5,7 @@
  Attributes:
   title : controls the HTML page title. Mandatory.
   norefresh : set to "true" to disable auto refresh for this page.
+   secured : set to "true" to fail unless the caller is admin.
 -->
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define">
 <st:contentType value="text/html;charset=UTF-8" />
@@ -13,6 +14,9 @@
 <j:set var="_" value="${h.configureAutoRefresh(request, response, attrs.norefresh!=null)}"/>
 <html>
  <head>
+    <!-- if this page needs to be secured, make sure the user is admin -->
+    ${h.adminCheck(request,response,secured)}
+
    <title>${h.appendIfNotNull(title, ' [Hudson]', 'Hudson')}</title>
    <link rel="stylesheet" href="${rootURL}/css/style.css" type="text/css" />
    <link rel="stylesheet" href="${rootURL}/css/color.css" type="text/css" />