privatestatic/* not final */booleanSECURITY_243_FULL_DEFENSE=Boolean.parseBoolean(System.getProperty(User.class.getName()+".SECURITY_243_FULL_DEFENSE","true"));
@@ -2485,8 +2485,8 @@ public class Jenkins extends AbstractCIBase implements DirectlyModifiableTopLeve
/**
* Gets the user of the given name.
*
* @return the user of the given name, if that person exists or the invoker {@link #hasPermission} on {@link #ADMINISTER}; else null
* @see User#get(String,boolean)
* @return the user of the given name (which may or may not be an id), if that person exists or the invoker {@link #hasPermission} on {@link #ADMINISTER}; else null
assertEquals("victim1 is a real user ID, we must ignore the attacker1’s fullName","victim1",victim1.getId());
assertEquals("a recursive call to User.get was OK",null,victim1.getProperty(MyViewsProperty.class).getPrimaryViewName());
assertEquals("(though the realm mistakenly added metadata to the attacker)","victim1",attacker1.getProperty(MyViewsProperty.class).getPrimaryViewName());
User.get("attacker2").setFullName("nonexistent");
assertEquals("but if we cannot find such a user ID, allow the fullName","attacker2",User.get("nonexistent").getId());
User.get("attacker3").setFullName("unknown");
assertEquals("or if we are not sure, allow the fullName","attacker3",User.get("unknown").getId());
User.get("attacker4").setFullName("Victim2");
assertEquals("victim2 is a real (canonical) user ID","victim2",User.get("Victim2").getId());