From 79f22cd661f2da2b98bbcd649c9a3fbf8b3b3074 Mon Sep 17 00:00:00 2001
From: mindless <mindless@71c3de6d-444a-0410-be80-ed276b4c234a>
Date: Tue, 10 Nov 2009 07:08:14 +0000
Subject: [PATCH] Project read permission was not enforced via
 /jobCaseInsensitive/jobname path. Added unit test.

git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@23629 71c3de6d-444a-0410-be80-ed276b4c234a
---
 core/src/main/java/hudson/model/Hudson.java   |   7 +++++--
 test/src/test/java/hudson/model/JobTest.java  |  18 ++++++++++++++++++
 .../model/JobTest/testReadPermission.zip      | Bin 0 -> 1753 bytes
 3 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 test/src/test/resources/hudson/model/JobTest/testReadPermission.zip

diff --git a/core/src/main/java/hudson/model/Hudson.java b/core/src/main/java/hudson/model/Hudson.java
index 70748a883e..7c442527d3 100644
--- a/core/src/main/java/hudson/model/Hudson.java
+++ b/core/src/main/java/hudson/model/Hudson.java
@@ -1796,9 +1796,12 @@ public final class Hudson extends Node implements ItemGroup<TopLevelItem>, Stapl
      *      Used only for mapping jobs to URL in a case-insensitive fashion.
      */
     public TopLevelItem getJobCaseInsensitive(String name) {
+        String match = Functions.toEmailSafeString(name);
         for (Entry<String, TopLevelItem> e : items.entrySet()) {
-            if(Functions.toEmailSafeString(e.getKey()).equalsIgnoreCase(Functions.toEmailSafeString(name)))
-                return e.getValue();
+            if(Functions.toEmailSafeString(e.getKey()).equalsIgnoreCase(match)) {
+                TopLevelItem item = e.getValue();
+                return item.hasPermission(Item.READ) ? item : null;
+            }
         }
         return null;
     }
diff --git a/test/src/test/java/hudson/model/JobTest.java b/test/src/test/java/hudson/model/JobTest.java
index 007361b05a..edd18c7a6d 100644
--- a/test/src/test/java/hudson/model/JobTest.java
+++ b/test/src/test/java/hudson/model/JobTest.java
@@ -23,6 +23,7 @@
  */
 package hudson.model;
 
+import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
 import com.gargoylesoftware.htmlunit.WebAssert;
 import com.gargoylesoftware.htmlunit.html.HtmlPage;
 
@@ -30,6 +31,7 @@ import hudson.util.TextFile;
 import java.io.IOException;
 import java.util.concurrent.CountDownLatch;
 import org.jvnet.hudson.test.HudsonTestCase;
+import org.jvnet.hudson.test.recipes.LocalData;
 
 /**
  * @author Kohsuke Kawaguchi
@@ -157,4 +159,20 @@ public class JobTest extends HudsonTestCase {
             }
         }
     }
+
+    @LocalData
+    public void testReadPermission() throws Exception {
+        WebClient wc = new WebClient();
+        try {
+            HtmlPage page = wc.goTo("/job/testJob/");
+            fail("getJob bypassed READ permission: " + page.getTitleText() + page.getBody().asText());
+        } catch (FailingHttpStatusCodeException expected) { }
+        try {
+            HtmlPage page = wc.goTo("/jobCaseInsensitive/testJob/");
+            fail("getJobCaseInsensitive bypassed READ permission: " + page.getTitleText());
+        } catch (FailingHttpStatusCodeException expected) { }
+        wc.login("joe");  // Has Item.READ permission
+        wc.goTo("/job/testJob/");
+        wc.goTo("/jobCaseInsensitive/TESTJOB/");
+    }
 }
diff --git a/test/src/test/resources/hudson/model/JobTest/testReadPermission.zip b/test/src/test/resources/hudson/model/JobTest/testReadPermission.zip
new file mode 100644
index 0000000000000000000000000000000000000000..0332f404e4d2a71ffb4848a8199b167f33a47644
GIT binary patch
literal 1753
zcmWIWW@Zs#U|`^2_`EFBTGj28iXtNeLnspi0~doRLvnszT4uUlMQ%=L2qy!x=cgZD
z-h4m3LMvDpzA}n1^ah>wJ8U4Z=ezczxFV&zmI(n*cb#H9(&%*c0Q-!Jsd=4mAGuHY
z@byTgho+X$_PKXw-i$n5a{GkVs)G?%vV@nP)ar8(jar~({_*$i$7gHzq;gk%Ih1u&
zEYQW>$b0hbP_L6LhdnBPUT}Cg*KAtpW^NgdAnpYH_3g3Wd_4J`u1BA+p5}PnDBUK&
z=sgSD_jfCJ>x!?hJvH|s-zhUKt-QBsmMPwEG(5h!&0kPp{f@`%rs-3o8D-nj4TN&#
z>rFUku6mNmFmu9+3swf%a$a6(P4$*C4c(^UQCowme@FYDyt@0>#S-7=0VntC$!>eY
zdu^`4eC=i2tWp009s8Dkdj7Fczq+=sJGb_=ik+_Hq>w#r8~=Uc$m3_*novIF%)_Qh
zFDL(D2mppI7cg`g7{og>t-%Z^!3qrBto)>6eQ?0a?fu~ujufy6eYKlW_3^^=m82Gz
zc;zQS^uJ^OiJ>17t04XF(yyPF2F9u+FjmFU^`k{G$Ry+_o*IaVVkUN>9g0tOI4P*`
zxrTB-dUNCUk%N88>tnap*p|%+aeZ{Cu&gZYn`4;!+D*(6Q<km&wEL0S`32A2PV8Ix
zssH=**}rRC#ZxvcV}AES=`_b<J(FZhCdLzMWs+JaeG+mtJHfWWkI7AfYpr<3FQ&$7
z?Yk>0zN|A1tJ|y*X`KGFaI(qrB^*-y8$3Vm_H>*3)!~$VN2IXKmLoev<|=I!T+kKH
zzUu~)F#lXmKJnbleV^ttvvtR73q7%V+@%<H`exVbM`yLSR!8YyK5OxMd)v#*Zpq&3
zQ%+>DHocp9=)l}U73+_#>*pn&-&1sbNsqy_!ydlEau&zs4%zn1U6iFil_SNedHvKQ
z-+J7?UEY-Fv9xgZm*?_`NSe9@HImqXfm~XgS_F;VU!0h+14$J-&@_Vb97JPQekvqt
zZMZNsL!uU>dD_)4^REMwQ~)q~MNl-O#Vg1d<anJs;UF;U^0d9L?z&eMHCxXwdfA%Y
z1}2J)0z93!pQy=odra2MWZz?}JzF5gvTpxV|NXkt<>&hLi7fh<H&IN|Te#>{_TxD5
zm!F@dMJ+#_rqu4SaHdM<9o}pAlHJd)RiF9)f`t`J{elb9UCQ&C{w`Qt9;sr=a=AY3
zb$%VkvkqI^*h}tCw{w?Yzp{Aa^s|9&hWmamxGwSi?5lT2_pW`$TA-0O^_qwEvh1ZU
znmZo!Y*%HtB>G|(6YH8#7MC@mGOL5m23%Ro#;ft!{#x<LKl63{H^qNH_2<t*{Qz%9
zCUIt51sX3n^8tg3VM!y1i5y0(km4=00vMQJLvZC=h#?FN0t{~*<A7#Cb1_gqC>Nva
z$IQRT`lrG4BXTp)98exan1d@HBYWl=x;bb*Lp2fNGt5Mb>@sU+26z$%Iti475l+ID
vc##b#fg1ox%0NRvX%Jxuu0)LNuZ<{%pm_>m94i|rHravj3oszgvw(O2dtgty

literal 0
HcmV?d00001

-- 
GitLab