replacing more adminCheck() by permission constants

git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@6351 71c3de6d-444a-0410-be80-ed276b4c234a

replacing more adminCheck() by permission constants
git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@6351 71c3de6d-444a-0410-be80-ed276b4c234a
7b7be1e1 · kohsuke · 3c158ba1 · 7b7be1e1 · 7b7be1e1 · 7b7be1e1
16 changed file
--- a/core/src/main/java/hudson/PluginWrapper.java
+++ b/core/src/main/java/hudson/PluginWrapper.java
@@ -435,14 +435,12 @@ public final class PluginWrapper {
 //
 //
    public void doMakeEnabled(StaplerRequest req, StaplerResponse rsp) throws IOException {
-        if(!Hudson.adminCheck(req,rsp))
-            return;
+    Hudson.getInstance().checkPermission(Hudson.ADMINISTER);
        enable();
        rsp.setStatus(200);
    }
    public void doMakeDisabled(StaplerRequest req, StaplerResponse rsp) throws IOException {
-        if(!Hudson.adminCheck(req,rsp))
-            return;
+        Hudson.getInstance().checkPermission(Hudson.ADMINISTER);
        disable();
        rsp.setStatus(200);
    }

--- a/core/src/main/java/hudson/maven/MavenModuleSet.java
+++ b/core/src/main/java/hudson/maven/MavenModuleSet.java
@@ -425,8 +425,7 @@ public final class MavenModuleSet extends AbstractMavenProject<MavenModuleSet,Ma
     * Delete all disabled modules.
     */
    public void doDoDeleteAllDisabledModules(StaplerRequest req, StaplerResponse rsp) throws IOException {
-        if(!Hudson.adminCheck(req,rsp))
-            return;
+        checkPermission(DELETE);
        for( MavenModule m : getDisabledModules(true))
            m.delete();
        rsp.sendRedirect2(".");

--- a/core/src/main/java/hudson/model/AbstractItem.java
+++ b/core/src/main/java/hudson/model/AbstractItem.java
@@ -3,6 +3,9 @@ package hudson.model;
 import hudson.XmlFile;
 import hudson.Util;
 import hudson.Functions;
+import hudson.security.Permission;
+import hudson.security.ACL;
+import hudson.security.AuthorizationStrategy;
 import org.kohsuke.stapler.export.Exported;
 import org.kohsuke.stapler.export.ExportedBean;

@@ -157,6 +160,21 @@ public abstract class AbstractItem extends Actionable implements Item {
        return new Api(this);
    }

+    /**
+     * Returns the {@link ACL} for this object.
+     */
+    public ACL getACL() {
+        // TODO: this object should have its own ACL
+        return Hudson.getInstance().getACL();
+    }
+
+    /**
+     * Short for {@code getACL().checkPermission(p)}
+     */
+    public void checkPermission(Permission p) {
+        getACL().checkPermission(p);
+    }
+
    /**
     * Save the settings to a file.
     */
@@ -172,8 +190,7 @@ public abstract class AbstractItem extends Actionable implements Item {
     * Accepts the new description.
     */
    public synchronized void doSubmitDescription( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
-        if(!Hudson.adminCheck(req,rsp))
-            return;
+        checkPermission(CONFIGURE);

        req.setCharacterEncoding("UTF-8");
        setDescription(req.getParameter("description"));
@@ -185,8 +202,7 @@ public abstract class AbstractItem extends Actionable implements Item {
     * Deletes this item.
     */
    public void doDoDelete( StaplerRequest req, StaplerResponse rsp ) throws IOException {
-        if(!Hudson.adminCheck(req,rsp))
-            return;
+        checkPermission(DELETE);
        delete();
        rsp.sendRedirect2(req.getContextPath()+"/"+getParent().getUrl());
    }

--- a/core/src/main/java/hudson/model/AbstractProject.java
+++ b/core/src/main/java/hudson/model/AbstractProject.java
@@ -5,6 +5,7 @@ import hudson.FilePath;
 import hudson.Launcher;
 import hudson.AbortException;
 import hudson.StructuredForm;
+import hudson.security.Permission;
 import hudson.widgets.HistoryWidget;
 import hudson.widgets.BuildHistoryWidget;
 import hudson.maven.MavenModule;
@@ -760,28 +761,25 @@ public abstract class AbstractProject<P extends AbstractProject<P,R>,R extends A
     * Schedules a new build command.
     */
    public void doBuild( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
-    if(BuildAuthorizationToken.canStartBuild(authToken, req, rsp)) {
+        BuildAuthorizationToken.checkPermission(this, authToken, req, rsp);
        scheduleBuild();
        rsp.forwardToPreviousPage(req);
    }
-}

    /**
     * Schedules a new SCM polling command.
     */
    public void doPolling( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
-        if(BuildAuthorizationToken.canStartBuild(authToken, req, rsp)) {
-            schedulePolling();
-            rsp.forwardToPreviousPage(req);
-        }
+        BuildAuthorizationToken.checkPermission(this, authToken, req, rsp);
+        schedulePolling();
+        rsp.forwardToPreviousPage(req);
    }

    /**
     * Cancels a scheduled build.
     */
    public void doCancelQueue( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
-        if(!Hudson.adminCheck(req,rsp))
-            return;
+        checkPermission(BUILD);

        Hudson.getInstance().getQueue().cancel(this);
        rsp.forwardToPreviousPage(req);
@@ -929,4 +927,6 @@ public abstract class AbstractProject<P extends AbstractProject<P,R>,R extends A
    };

    private static final Logger LOGGER = Logger.getLogger(AbstractProject.class.getName());
+
+    public static final Permission BUILD = new Permission(AbstractProject.class,"Build", Permission.UPDATE);
 }
--- a/core/src/main/java/hudson/model/BuildAuthorizationToken.java
+++ b/core/src/main/java/hudson/model/BuildAuthorizationToken.java
@@ -27,20 +27,20 @@ public final class BuildAuthorizationToken {
            return null;
    }

-    public static boolean canStartBuild(BuildAuthorizationToken token, StaplerRequest req, StaplerResponse rsp) throws IOException {
+    public static void checkPermission(AbstractProject project, BuildAuthorizationToken token, StaplerRequest req, StaplerResponse rsp) throws IOException {
        if (!Hudson.getInstance().isUseSecurity())
-            return true;    // everyone is authorized
+            return;    // everyone is authorized

        if(token!=null) {
            if(token.token != null) {
                //check the provided token
                String providedToken = req.getParameter("token");
                if (providedToken != null && providedToken.equals(token.token))
-                    return true;
+                    return;
            }
        }

-        return Hudson.adminCheck(req, rsp);
+        project.checkPermission(AbstractProject.BUILD);
    }

    public String getToken() {

--- a/core/src/main/java/hudson/model/Computer.java
+++ b/core/src/main/java/hudson/model/Computer.java
@@ -338,8 +338,7 @@ public abstract class Computer extends AbstractModelObject {
    }

    public void doToggleOffline( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
-        if(!Hudson.adminCheck(req,rsp))
-            return;
+        Hudson.getInstance().checkPermission(Hudson.ADMINISTER);

        setTemporarilyOffline(!temporarilyOffline);
        rsp.forwardToPreviousPage(req);
@@ -349,8 +348,8 @@ public abstract class Computer extends AbstractModelObject {
     * Dumps the contents of the export table.
     */
    public void doDumpExportTable( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
-        if(!Hudson.adminCheck(req,rsp)) // this is a debug probe and may expose sensitive information
-            return;
+        // this is a debug probe and may expose sensitive information
+        Hudson.getInstance().checkPermission(Hudson.ADMINISTER);

        rsp.setContentType("text/plain");
        rsp.setCharacterEncoding("UTF-8");

--- a/core/src/main/java/hudson/model/Hudson.java
+++ b/core/src/main/java/hudson/model/Hudson.java
@@ -883,13 +883,6 @@ public final class Hudson extends View implements ItemGroup<TopLevelItem>, Node
        return authorizationStrategy.getRootACL();
    }

-    /**
-     * Short for {@code getACL().checkPermission(p)}
-     */
-    public void checkPermission(Permission p) {
-        getACL().checkPermission(p);
-    }
-
    /**
     * @return
     *      never null.
@@ -2151,7 +2144,7 @@ public final class Hudson extends View implements ItemGroup<TopLevelItem>, Node
    /**
     * Administrative access to Hudson.
     */
-    public static final Permission ADMINISTER = new Permission(Hudson.class,"Administer", Permission.CONFIGURE);
+    public static final Permission ADMINISTER = new Permission(Hudson.class,"Administer", Permission.FULL_CONTROL);

    static {
        XSTREAM.alias("hudson",Hudson.class);

--- a/core/src/main/java/hudson/model/Item.java
+++ b/core/src/main/java/hudson/model/Item.java
@@ -6,6 +6,7 @@ import java.io.IOException;
 import java.util.Collection;

 import hudson.search.SearchableModelObject;
+import hudson.security.Permission;

 /**
 * Basic configuration unit in Hudson.
@@ -153,4 +154,8 @@ public interface Item extends PersistenceRoot, SearchableModelObject {
     * to save the data.
     */
    public void save() throws IOException;
+
+    public static final Permission CREATE = new Permission(Item.class,"Create", Permission.CREATE);
+    public static final Permission DELETE = new Permission(Item.class,"Delete", Permission.DELETE);
+    public static final Permission CONFIGURE = new Permission(Item.class,"Configure", Permission.CONFIGURE);
 }
--- a/core/src/main/java/hudson/model/Job.java
+++ b/core/src/main/java/hudson/model/Job.java
@@ -679,8 +679,7 @@ public abstract class Job<JobT extends Job<JobT,RunT>, RunT extends Run<JobT,Run
     * Accepts submission from the configuration page.
     */
    public synchronized void doConfigSubmit(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
-        if (!Hudson.adminCheck(req, rsp))
-            return;
+        checkPermission(CONFIGURE);

        req.setCharacterEncoding("UTF-8");

@@ -889,8 +888,9 @@ public abstract class Job<JobT extends Job<JobT,RunT>, RunT extends Run<JobT,Run
     * Renames this job.
     */
    public /*not synchronized. see renameTo()*/ void doDoRename( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
-        if(!Hudson.adminCheck(req,rsp))
-            return;
+        // rename is essentially delete followed by a create
+        checkPermission(CREATE);
+        checkPermission(DELETE);

        String newName = req.getParameter("newName");
        try {
@@ -917,9 +917,4 @@ public abstract class Job<JobT extends Job<JobT,RunT>, RunT extends Run<JobT,Run
        RSS.forwardToRss(getDisplayName()+ suffix, getUrl(),
            runs.newBuilds(), Run.FEED_ADAPTER, req, rsp );
    }
-
-    /**
-     * Permission to create new jobs.
-     */
-    public static final Permission CREATE = new Permission(Job.class,"Create", Permission.CREATE);
 }
--- a/core/src/main/java/hudson/model/ListView.java
+++ b/core/src/main/java/hudson/model/ListView.java
 package hudson.model;

 import hudson.Util;
+import hudson.security.Permission;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;

@@ -81,9 +82,6 @@ public class ListView extends View {
    }

    public Item doCreateItem(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
-        if(!Hudson.adminCheck(req,rsp))
-            return null;
-
        Item item = owner.doCreateItem(req, rsp);
        if(item!=null) {
            jobNames.add(item.getName());
@@ -100,8 +98,7 @@ public class ListView extends View {
     * Accepts submission from the configuration page.
     */
    public synchronized void doConfigSubmit( StaplerRequest req, StaplerResponse rsp ) throws IOException {
-        if(!Hudson.adminCheck(req,rsp))
-            return;
+        checkPermission(CONFIGURE);

        req.setCharacterEncoding("UTF-8");
        
@@ -124,8 +121,7 @@ public class ListView extends View {
     * Accepts the new description.
     */
    public synchronized void doSubmitDescription( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
-        if(!Hudson.adminCheck(req,rsp))
-            return;
+        checkPermission(CONFIGURE);

        req.setCharacterEncoding("UTF-8");
        description = req.getParameter("description");
@@ -137,10 +133,12 @@ public class ListView extends View {
     * Deletes this view.
     */
    public synchronized void doDoDelete( StaplerRequest req, StaplerResponse rsp ) throws IOException {
-        if(!Hudson.adminCheck(req,rsp))
-            return;
+        checkPermission(DELETE);

        owner.deleteView(this);
        rsp.sendRedirect2(req.getContextPath()+"/");
    }
+
+    public static final Permission DELETE = new Permission(Item.class,"Delete", Permission.DELETE);
+    public static final Permission CONFIGURE = new Permission(Item.class,"Configure", Permission.CONFIGURE);
 }
--- a/core/src/main/java/hudson/model/Run.java
+++ b/core/src/main/java/hudson/model/Run.java
@@ -9,6 +9,7 @@ import hudson.FilePath;
 import hudson.Util;
 import static hudson.Util.combine;
 import hudson.XmlFile;
+import hudson.security.Permission;
 import hudson.matrix.MatrixBuild;
 import hudson.matrix.MatrixRun;
 import hudson.model.listeners.RunListener;
@@ -562,6 +563,11 @@ public abstract class Run <JobT extends Job<JobT,RunT>,RunT extends Run<JobT,Run
        return new Api(this);
    }

+    public void checkPermission(Permission p) {
+        // for now, don't maintain ACL per run, and do it at project level
+        getParent().checkPermission(p);
+    }
+
    /**
     * Deletes this build and its entire log
     *
@@ -906,8 +912,7 @@ public abstract class Run <JobT extends Job<JobT,RunT>,RunT extends Run<JobT,Run
    }

    public void doToggleLogKeep( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
-        if(!Hudson.adminCheck(req,rsp))
-            return;
+        checkPermission(UPDATE);

        keepLog = !keepLog;
        save();
@@ -926,9 +931,8 @@ public abstract class Run <JobT extends Job<JobT,RunT>,RunT extends Run<JobT,Run
     * Deletes the build when the button is pressed.
     */
    public void doDoDelete( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
-        if(!Hudson.adminCheck(req,rsp))
-            return;
-        
+        checkPermission(DELETE);
+
        // We should not simply delete the build if it has been explicitly
        // marked to be preserved, or if the build should not be deleted
        // due to dependencies!
@@ -946,8 +950,7 @@ public abstract class Run <JobT extends Job<JobT,RunT>,RunT extends Run<JobT,Run
     * Accepts the new description.
     */
    public synchronized void doSubmitDescription( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
-        if(!Hudson.adminCheck(req,rsp))
-            return;
+        checkPermission(UPDATE);

        req.setCharacterEncoding("UTF-8");
        description = req.getParameter("description");
@@ -1043,4 +1046,7 @@ public abstract class Run <JobT extends Job<JobT,RunT>,RunT extends Run<JobT,Run
        public String getUrlName() { return null; }
        public String getWhyKeepLog() { return Run.this.getWhyKeepLog(); }
    }
+
+    public static final Permission DELETE = new Permission(Item.class,"Delete", Permission.DELETE);
+    public static final Permission UPDATE = new Permission(Item.class,"Update", Permission.UPDATE);
 }
--- a/core/src/main/java/hudson/model/Slave.java
+++ b/core/src/main/java/hudson/model/Slave.java
@@ -398,8 +398,7 @@ public final class Slave implements Node, Serializable {
        }

        public void doDoDisconnect(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
-            if(!Hudson.adminCheck(req,rsp))
-                return;
+            Hudson.getInstance().checkPermission(Hudson.ADMINISTER);
            closeChannel();
            rsp.sendRedirect(".");
        }

--- a/core/src/main/java/hudson/model/View.java
+++ b/core/src/main/java/hudson/model/View.java
@@ -2,6 +2,7 @@ package hudson.model;

 import hudson.Util;
 import hudson.security.Permission;
+import hudson.security.ACL;
 import hudson.scm.ChangeLogSet.Entry;
 import hudson.search.CollectionSearchIndex;
 import hudson.search.SearchIndexBuilder;
@@ -82,6 +83,21 @@ public abstract class View extends AbstractModelObject {
        return new Api(this);
    }

+    /**
+     * Returns the {@link ACL} for this object.
+     */
+    public ACL getACL() {
+        // TODO: this object should have its own ACL
+        return Hudson.getInstance().getACL();
+    }
+
+    /**
+     * Short for {@code getACL().checkPermission(p)}
+     */
+    public void checkPermission(Permission p) {
+        getACL().checkPermission(p);
+    }
+
    public static final class UserInfo implements Comparable<UserInfo> {
        private final User user;
        private Calendar lastChange;

--- a/core/src/main/java/hudson/scm/CVSSCM.java
+++ b/core/src/main/java/hudson/scm/CVSSCM.java
@@ -1027,8 +1027,7 @@ public class CVSSCM extends SCM implements Serializable {
         * cvs does some tty magic to disable echo back or whatever.
         */
        public void doPostPassword(StaplerRequest req, StaplerResponse rsp) throws IOException, InterruptedException {
-            if(!Hudson.adminCheck(req,rsp))
-                return;
+            Hudson.getInstance().checkPermission(Hudson.ADMINISTER);

            String cvsroot = req.getParameter("cvsroot");
            String password = req.getParameter("password");

--- a/core/src/main/java/hudson/scm/SubversionSCM.java
+++ b/core/src/main/java/hudson/scm/SubversionSCM.java
@@ -941,7 +941,7 @@ public class SubversionSCM extends SCM implements Serializable {
         * This code is fairly ugly because of the way SVNKit handles credentials.
         */
        public void doPostCredential(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
-            if(!Hudson.adminCheck(req,rsp)) return;
+            Hudson.getInstance().checkPermission(Hudson.ADMINISTER);

            MultipartFormDataParser parser = new MultipartFormDataParser(req);


--- a/core/src/main/java/hudson/security/Permission.java
+++ b/core/src/main/java/hudson/security/Permission.java
@@ -119,5 +119,5 @@ public class Permission {
    /**
     * Generic configuration access.
     */
-    public static final Permission CONFIGURE = new Permission(Permission.class,"Generic Configure",WRITE);
+    public static final Permission CONFIGURE = new Permission(Permission.class,"Generic Configure",UPDATE);
 }