[FIXED HUDSON-2873] Require BUILD permission to post results for an external job.

(previously had no permission check other than overall READ permission). Changed AuthorizationStrategy.getACL(AbstractProject) to getACL(Job) and moved getACL() from AbstractProject.java to Job.java so this permission would apply to ExternalJob type. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@14640 71c3de6d-444a-0410-be80-ed276b4c234a

[FIXED HUDSON-2873] Require BUILD permission to post results for an external job.
(previously had no permission check other than overall READ permission). Changed AuthorizationStrategy.getACL(AbstractProject) to getACL(Job) and moved getACL() from AbstractProject.java to Job.java so this permission would apply to ExternalJob type. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@14640 71c3de6d-444a-0410-be80-ed276b4c234a
084226b1 · mindless · 0508d65e · 084226b1 · 084226b1 · 084226b1
5 changed file
--- a/core/src/main/java/hudson/model/AbstractProject.java
+++ b/core/src/main/java/hudson/model/AbstractProject.java
@@ -16,7 +16,6 @@ import hudson.scm.NullSCM;
 import hudson.scm.SCM;
 import hudson.scm.SCMS;
 import hudson.search.SearchIndexBuilder;
-import hudson.security.ACL;
 import hudson.security.Permission;
 import hudson.tasks.BuildStep;
 import hudson.tasks.BuildTrigger;
@@ -1159,15 +1158,6 @@ public abstract class AbstractProject<P extends AbstractProject<P,R>,R extends A
        return (AbstractProject)Hudson.getInstance().getItem(nearest);
    }

-    /**
-     * Returns the {@link ACL} for this object.
-     * We need to override the identical method in AbstractItem because we won't
-     * call getACL(AbstractProject) otherwise (single dispatch)
-     */
-    public ACL getACL() {
-        return Hudson.getInstance().getAuthorizationStrategy().getACL(this);
-    }
-
    private static final Comparator<Integer> REVERSE_INTEGER_COMPARATOR = new Comparator<Integer>() {
        public int compare(Integer o1, Integer o2) {
            return o2-o1;

--- a/core/src/main/java/hudson/model/ExternalJob.java
+++ b/core/src/main/java/hudson/model/ExternalJob.java
 package hudson.model;

+import hudson.model.AbstractProject;
 import hudson.model.RunMap.Constructor;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
@@ -59,6 +60,7 @@ public class ExternalJob extends ViewJob<ExternalJob,ExternalRun> implements Top
     * Used to post the build result from a remote machine.
     */
    public void doPostBuildResult( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
+        checkPermission(AbstractProject.BUILD);
        ExternalRun run = newBuild();
        run.acceptRemoteSubmission(req.getReader());
        rsp.setStatus(HttpServletResponse.SC_OK);

--- a/core/src/main/java/hudson/model/Job.java
+++ b/core/src/main/java/hudson/model/Job.java
@@ -13,6 +13,7 @@ import hudson.search.SearchIndex;
 import hudson.search.SearchIndexBuilder;
 import hudson.search.SearchItem;
 import hudson.search.SearchItems;
+import hudson.security.ACL;
 import hudson.tasks.LogRotator;
 import hudson.util.AtomicFileWriter;
 import hudson.util.ChartUtil;
@@ -1155,4 +1156,13 @@ public abstract class Job<JobT extends Job<JobT, RunT>, RunT extends Run<JobT, R
        RSS.forwardToRss(getDisplayName() + suffix, getUrl(), runs.newBuilds(),
                Run.FEED_ADAPTER, req, rsp);
    }
+
+    /**
+     * Returns the {@link ACL} for this object.
+     * We need to override the identical method in AbstractItem because we won't
+     * call getACL(Job) otherwise (single dispatch)
+     */
+    public ACL getACL() {
+        return Hudson.getInstance().getAuthorizationStrategy().getACL(this);
+    }
 }
--- a/core/src/main/java/hudson/security/AuthorizationStrategy.java
+++ b/core/src/main/java/hudson/security/AuthorizationStrategy.java
@@ -3,11 +3,11 @@ package hudson.security;
 import hudson.ExtensionPoint;
 import hudson.slaves.Cloud;
 import hudson.model.AbstractItem;
-import hudson.model.AbstractProject;
 import hudson.model.Computer;
 import hudson.model.Describable;
 import hudson.model.Descriptor;
 import hudson.model.Hudson;
+import hudson.model.Job;
 import hudson.model.User;
 import hudson.model.View;
 import hudson.model.Node;
@@ -51,7 +51,7 @@ public abstract class AuthorizationStrategy implements Describable<Authorization
     */
    public abstract ACL getRootACL();

-    public ACL getACL(AbstractProject<?,?> project) {
+    public ACL getACL(Job<?,?> project) {
    	return getRootACL();
    }


--- a/core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java
+++ b/core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java
 package hudson.security;

-import hudson.model.AbstractProject;
 import hudson.model.Descriptor;
+import hudson.model.Job;
 import hudson.model.Jobs;
 import hudson.util.RobustReflectionConverter;
 import com.thoughtworks.xstream.io.HierarchicalStreamReader;
@@ -19,7 +19,7 @@ import com.thoughtworks.xstream.core.JVM;
 */
 public class ProjectMatrixAuthorizationStrategy extends GlobalMatrixAuthorizationStrategy {
    @Override
-    public ACL getACL(AbstractProject<?,?> project) {
+    public ACL getACL(Job<?,?> project) {
        AuthorizationMatrixProperty amp = project.getProperty(AuthorizationMatrixProperty.class);
        if (amp != null && amp.isUseProjectSecurity()) {
            return amp.getACL().newInheritingACL(getRootACL());