[FIXED HUDSON-1875] layout.jelly had a very error prone permission check that...

[FIXED HUDSON-1875] layout.jelly had a very error prone permission check that silentely passes when the "it" object is not an AccessControlled object. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@10313 71c3de6d-444a-0410-be80-ed276b4c234a

[FIXED HUDSON-1875] layout.jelly had a very error prone permission check that...
[FIXED HUDSON-1875] layout.jelly had a very error prone permission check that silentely passes when the "it" object is not an AccessControlled object. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@10313 71c3de6d-444a-0410-be80-ed276b4c234a
f34e35e2 · kohsuke · b5178dee · f34e35e2 · f34e35e2
隐藏空白更改
内联并排

Showing with 24 addition and 0 deletion

core/src/main/java/hudson/Functions.java core/src/main/java/hudson/Functions.java +22 -0

core/src/main/java/hudson/PluginManager.java core/src/main/java/hudson/PluginManager.java +2 -0

未找到文件。
--- a/core/src/main/java/hudson/Functions.java
+++ b/core/src/main/java/hudson/Functions.java
@@ -30,6 +30,7 @@ import hudson.tasks.BuildWrappers;
 import hudson.tasks.Builder;
 import hudson.tasks.Publisher;
 import hudson.util.Area;
+import hudson.util.Iterators;
 import org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken;
 import org.apache.commons.jelly.JellyContext;
 import org.apache.commons.jexl.parser.ASTSizeFunction;
@@ -449,6 +450,27 @@ public class Functions {
        }
    }

+    /**
+     * This version is so that the 'checkPermission' on <tt>layout.jelly</tt>
+     * degrades gracefully if "it" is not an {@link AccessControlled} object.
+     * Otherwise it will perform no check and that problem is hard to notice.
+     */
+    public static void checkPermission(Object object, Permission permission) throws IOException, ServletException {
+        if (object instanceof AccessControlled)
+            checkPermission((AccessControlled) object,permission);
+        else {
+            List<Ancestor> ancs = Stapler.getCurrentRequest().getAncestors();
+            for(Ancestor anc : Iterators.reverse(ancs)) {
+                Object o = anc.getObject();
+                if (o instanceof AccessControlled) {
+                    checkPermission((AccessControlled) o,permission);
+                    return;
+                }
+            }
+            throw new AssertionError(); // ancestor must include Hudson, which is AccessControlled.
+        }
+    }
+
    /**
     * Returns true if the current user has the given permission.
     *

--- a/core/src/main/java/hudson/PluginManager.java
+++ b/core/src/main/java/hudson/PluginManager.java
@@ -186,6 +186,8 @@ public final class PluginManager extends AbstractModelObject {
    }

    public void doProxyConfigure(@QueryParameter("proxy.server") String server, @QueryParameter("proxy.port") String port, StaplerResponse rsp) throws IOException {
+        Hudson.getInstance().checkPermission(Hudson.ADMINISTER);
+
        Hudson hudson = Hudson.getInstance();
        server = Util.fixEmptyAndTrim(server);
        if(server==null) {