[FIXED HUDSON-2186] In project-based matrix security, global setting should be...

[FIXED HUDSON-2186] In project-based matrix security, global setting should be inherited to per-job setting. IN 1.265. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@13654 71c3de6d-444a-0410-be80-ed276b4c234a

[FIXED HUDSON-2186] In project-based matrix security, global setting should be...
[FIXED HUDSON-2186] In project-based matrix security, global setting should be inherited to per-job setting. IN 1.265. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@13654 71c3de6d-444a-0410-be80-ed276b4c234a
63eec22c · kohsuke · a123831b · 63eec22c · 63eec22c · 63eec22c
4 changed file
--- a/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java
+++ b/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java
@@ -36,7 +36,7 @@ public class AuthorizationMatrixProperty extends JobProperty<Job<?, ?>> {

 	public static final JobPropertyDescriptor DESCRIPTOR = new DescriptorImpl();

-	private transient ACL acl = new AclImpl();
+	private transient SidACL acl = new AclImpl();

 	private boolean useProjectSecurity;

@@ -178,7 +178,7 @@ public class AuthorizationMatrixProperty extends JobProperty<Job<?, ?>> {
 		return this;
 	}

-	public ACL getACL() {
+	public SidACL getACL() {
 		return acl;
 	}


--- a/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java
+++ b/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java
@@ -29,7 +29,7 @@ import java.util.Set;
 */
 // TODO: think about the concurrency commitment of this class
 public class GlobalMatrixAuthorizationStrategy extends AuthorizationStrategy {
-    private transient ACL acl = new AclImpl();
+    private transient SidACL acl = new AclImpl();

    /**
     * List up all permissions that are granted.
@@ -64,7 +64,7 @@ public class GlobalMatrixAuthorizationStrategy extends AuthorizationStrategy {
    }

    @Override
-    public ACL getRootACL() {
+    public SidACL getRootACL() {
        return acl;
    }


--- a/core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java
+++ b/core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java
@@ -22,7 +22,7 @@ public class ProjectMatrixAuthorizationStrategy extends GlobalMatrixAuthorizatio
    public ACL getACL(AbstractProject<?,?> project) {
        AuthorizationMatrixProperty amp = project.getProperty(AuthorizationMatrixProperty.class);
        if (amp != null && amp.isUseProjectSecurity()) {
-            return amp.getACL();
+            return amp.getACL().newInheritingACL(getRootACL());
        } else {
            return getRootACL();
        }

--- a/core/src/main/java/hudson/security/SidACL.java
+++ b/core/src/main/java/hudson/security/SidACL.java
@@ -68,4 +68,20 @@ public abstract class SidACL extends ACL {
     *      or denying the access (if the model is no-access-by-default.)  
     */
    protected abstract Boolean hasPermission(Sid p, Permission permission);
+
+    /**
+     * Creates a new {@link SidACL} that first consults 'this' {@link SidACL} and then delegate to
+     * the given parent {@link SidACL}. By doing this at the {@link SidACL} level and not at the
+     * {@link ACL} level, this allows the child ACLs to have an explicit deny entry.
+     */
+    public final SidACL newInheritingACL(final SidACL parent) {
+        final SidACL child = this;
+        return new SidACL() {
+            protected Boolean hasPermission(Sid p, Permission permission) {
+                Boolean b = child.hasPermission(p, permission);
+                if(b!=null) return b;
+                return parent.hasPermission(p,permission);
+            }
+        };
+    }
 }