From 63eec22c2d501242b8143e331d8f6f29ece23005 Mon Sep 17 00:00:00 2001 From: kohsuke Date: Tue, 16 Dec 2008 20:01:13 +0000 Subject: [PATCH] [FIXED HUDSON-2186] In project-based matrix security, global setting should be inherited to per-job setting. IN 1.265. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@13654 71c3de6d-444a-0410-be80-ed276b4c234a --- .../security/AuthorizationMatrixProperty.java | 4 ++-- .../GlobalMatrixAuthorizationStrategy.java | 4 ++-- .../ProjectMatrixAuthorizationStrategy.java | 2 +- core/src/main/java/hudson/security/SidACL.java | 16 ++++++++++++++++ 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java b/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java index e8068f8bf8..154d7c741d 100644 --- a/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java +++ b/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java @@ -36,7 +36,7 @@ public class AuthorizationMatrixProperty extends JobProperty> { public static final JobPropertyDescriptor DESCRIPTOR = new DescriptorImpl(); - private transient ACL acl = new AclImpl(); + private transient SidACL acl = new AclImpl(); private boolean useProjectSecurity; @@ -178,7 +178,7 @@ public class AuthorizationMatrixProperty extends JobProperty> { return this; } - public ACL getACL() { + public SidACL getACL() { return acl; } diff --git a/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java b/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java index 6ceaa97579..a31df543e7 100644 --- a/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java +++ b/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java @@ -29,7 +29,7 @@ import java.util.Set; */ // TODO: think about the concurrency commitment of this class public class GlobalMatrixAuthorizationStrategy extends AuthorizationStrategy { - private transient ACL acl = new AclImpl(); + private transient SidACL acl = new AclImpl(); /** * List up all permissions that are granted. @@ -64,7 +64,7 @@ public class GlobalMatrixAuthorizationStrategy extends AuthorizationStrategy { } @Override - public ACL getRootACL() { + public SidACL getRootACL() { return acl; } diff --git a/core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java b/core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java index ca7da447f8..6ff8c4f420 100644 --- a/core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java +++ b/core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java @@ -22,7 +22,7 @@ public class ProjectMatrixAuthorizationStrategy extends GlobalMatrixAuthorizatio public ACL getACL(AbstractProject project) { AuthorizationMatrixProperty amp = project.getProperty(AuthorizationMatrixProperty.class); if (amp != null && amp.isUseProjectSecurity()) { - return amp.getACL(); + return amp.getACL().newInheritingACL(getRootACL()); } else { return getRootACL(); } diff --git a/core/src/main/java/hudson/security/SidACL.java b/core/src/main/java/hudson/security/SidACL.java index b87e067391..7d027836ce 100644 --- a/core/src/main/java/hudson/security/SidACL.java +++ b/core/src/main/java/hudson/security/SidACL.java @@ -68,4 +68,20 @@ public abstract class SidACL extends ACL { * or denying the access (if the model is no-access-by-default.) */ protected abstract Boolean hasPermission(Sid p, Permission permission); + + /** + * Creates a new {@link SidACL} that first consults 'this' {@link SidACL} and then delegate to + * the given parent {@link SidACL}. By doing this at the {@link SidACL} level and not at the + * {@link ACL} level, this allows the child ACLs to have an explicit deny entry. + */ + public final SidACL newInheritingACL(final SidACL parent) { + final SidACL child = this; + return new SidACL() { + protected Boolean hasPermission(Sid p, Permission permission) { + Boolean b = child.hasPermission(p, permission); + if(b!=null) return b; + return parent.hasPermission(p,permission); + } + }; + } } -- GitLab