[FIXED JENKINS-8214] Added a DISCOVER permission to allow anonymous users to...

[FIXED JENKINS-8214] Added a DISCOVER permission to allow anonymous users to be presented the login screen when accessing job URLs

changelog.html

@@ -58,6 +58,10 @@ Upcoming changes</a>
   <li class=bug>
     End up more gracefully if there's some problem when searching for user partipication in the build
     (<a href="https://issues.jenkins-ci.org/browse/JENKINS-13564">issue 13564</a>)
+  <li class=rfe>
+    Added a DISCOVER permission to allow anonymous users to be presented the login screen
+    when accessing job URLs.
+    (<a href="https://issues.jenkins-ci.org/browse/JENKINS-8214">issue 8214</a>)
 </ul>
 </div><!--=TRUNK-END=-->
 

core/src/main/java/hudson/model/Item.java

@@ -224,6 +224,7 @@ public interface Item extends PersistenceRoot, SearchableModelObject, AccessCont
     Permission DELETE = new Permission(PERMISSIONS, "Delete", null, Permission.DELETE, PermissionScope.ITEM);
     Permission CONFIGURE = new Permission(PERMISSIONS, "Configure", null, Permission.CONFIGURE, PermissionScope.ITEM);
     Permission READ = new Permission(PERMISSIONS, "Read", null, Permission.READ, PermissionScope.ITEM);
+    Permission DISCOVER = new Permission(PERMISSIONS, "Discover", Messages._AbstractProject_DiscoverPermission_Description(), Permission.READ, PermissionScope.ITEM);
     Permission EXTENDED_READ = new Permission(PERMISSIONS,"ExtendedRead", Messages._AbstractProject_ExtendedReadPermission_Description(), CONFIGURE, Boolean.getBoolean("hudson.security.ExtendedReadPermission"), new PermissionScope[]{PermissionScope.ITEM});
     Permission BUILD = new Permission(PERMISSIONS, "Build", Messages._AbstractProject_BuildPermission_Description(),  Permission.UPDATE, PermissionScope.ITEM);
     Permission WORKSPACE = new Permission(PERMISSIONS, "Workspace", Messages._AbstractProject_WorkspacePermission_Description(), Permission.READ, PermissionScope.ITEM);

core/src/main/java/jenkins/model/Jenkins.java

@@ -200,7 +200,6 @@ import org.acegisecurity.AcegiSecurityException;
 import org.acegisecurity.Authentication;
 import org.acegisecurity.GrantedAuthority;
 import org.acegisecurity.GrantedAuthorityImpl;
-import org.acegisecurity.context.SecurityContext;
 import org.acegisecurity.context.SecurityContextHolder;
 import org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken;
 import org.acegisecurity.ui.AbstractProcessingFilter;
@@ -2111,8 +2110,14 @@ public class Jenkins extends AbstractCIBase implements ModifiableItemGroup<TopLe
     public TopLevelItem getItem(String name) {
         if (name==null)    return null;
     	TopLevelItem item = items.get(name);
-        if (item==null || !item.hasPermission(Item.READ))
+        if (item==null)
             return null;
+        if (!item.hasPermission(Item.READ)) {
+            if (item.hasPermission(Item.DISCOVER)) {
+                throw new AccessDeniedException("Please login to access job " + name);
+            }
+            return null;
+        }
         return item;
     }
 

core/src/main/resources/hudson/model/Messages.properties

@@ -57,6 +57,10 @@ AbstractProject.ExtendedReadPermission.Description=\
   This permission grants read-only access to project configurations. Please be \
   aware that sensitive information in your builds, such as passwords, will be \
   exposed to a wider audience by granting this permission.
+AbstractProject.DiscoverPermission.Description=\
+  This permission grants discover access to jobs. Lower than read permissions, it allows you to \
+  redirect anonymous users to the login page when they try to access a job url. \
+  Without it they would get a 404 error and wouldn't be able to discover project names.
 AbstractProject.WipeOutPermission.Description=\
   This permission grants the ability to wipe out the contents of a workspace.
 AbstractProject.CancelPermission.Description=\