[FIXED JENKINS-3681] Added View.READ permission.

The trick for backward compatibility is in the default implementation
that grants View.READ to those who have access to items.

changelog.html

@@ -64,6 +64,9 @@ Upcoming changes</a>
   <li class=bug>
     Loading All Build History Fails.
     (<a href="https://issues.jenkins-ci.org/browse/JENKINS-13238">issue 13238</a>)  
+  <li class=rfe>
+    Added the View.READ permission to control visibility of views, and updated the default implementation to hide empty views.
+    (<a href="https://issues.jenkins-ci.org/browse/JENKINS-3681">issue 3681</a>)  
 
 </ul>
 </div><!--=TRUNK-END=-->

core/src/main/java/hudson/model/View.java

@@ -841,6 +841,7 @@ public abstract class View extends AbstractModelObject implements AccessControll
     public static final Permission CREATE = new Permission(PERMISSIONS,"Create", Messages._View_CreatePermission_Description(), Permission.CREATE, PermissionScope.ITEM_GROUP);
     public static final Permission DELETE = new Permission(PERMISSIONS,"Delete", Messages._View_DeletePermission_Description(), Permission.DELETE, PermissionScope.ITEM_GROUP);
     public static final Permission CONFIGURE = new Permission(PERMISSIONS,"Configure", Messages._View_ConfigurePermission_Description(), Permission.CONFIGURE, PermissionScope.ITEM_GROUP);
+    public static final Permission READ = new Permission(PERMISSIONS,"Read", Messages._View_ReadPermission_Description(), Permission.READ, PermissionScope.ITEM_GROUP);
 
     // to simplify access from Jelly
     public static Permission getItemCreatePermission() {

core/src/main/java/hudson/model/ViewGroupMixIn.java

@@ -32,6 +32,7 @@ import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.Iterator;
 import java.util.List;
 
 /**
@@ -108,7 +109,12 @@ public abstract class ViewGroupMixIn {
      */
     @Exported
     public Collection<View> getViews() {
-        List<View> copy = new ArrayList<View>(views());
+        List<View> orig = views();
+        List<View> copy = new ArrayList<View>(orig.size());
+        for (View v : orig) {
+            if (v.hasPermission(View.READ))
+                copy.add(v);
+        }
         Collections.sort(copy, View.SORTER);
         return copy;
     }

core/src/main/java/hudson/security/AuthorizationStrategy.java

@@ -38,6 +38,7 @@ import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 
 import org.acegisecurity.Authentication;
+import org.acegisecurity.acls.sid.Sid;
 import org.kohsuke.stapler.StaplerRequest;
 
 /**
@@ -87,12 +88,24 @@ public abstract class AuthorizationStrategy extends AbstractDescribableImpl<Auth
      * This can be used as a basis for more fine-grained access control.
      *
      * <p>
-     * The default implementation returns the ACL of the ViewGroup.
+     * The default implementation makes the view visible if any of the items are visible
+     * or the view is configurable.
      *
      * @since 1.220
      */
-    public ACL getACL(View item) {
-    	return item.getOwner().getACL();
+    public ACL getACL(final View item) {
+        return new ACL() {
+            @Override
+            public boolean hasPermission(Authentication a, Permission permission) {
+                ACL base = item.getOwner().getACL();
+
+                if (permission==View.READ) {
+                    return base.hasPermission(a,View.CONFIGURE) || !item.getItems().isEmpty();
+                }
+
+                return base.hasPermission(a, permission);
+            }
+        };
     }
     
     /**

core/src/main/resources/hudson/model/Messages.properties

@@ -243,6 +243,8 @@ View.DeletePermission.Description=\
   This permission allows users to delete existing views.
 View.ConfigurePermission.Description=\
   This permission allows users to change the configuration of views.
+View.ReadPermission.Description=\
+  This permission allows users to see views (implied by generic read access).
 View.MissingMode=No view type is specified
 
 UpdateCenter.Status.CheckingInternet=Checking internet connectivity