Project read permission was not enforced via /jobCaseInsensitive/jobname path.

Added unit test. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@23629 71c3de6d-444a-0410-be80-ed276b4c234a

Project read permission was not enforced via /jobCaseInsensitive/jobname path.
Added unit test. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@23629 71c3de6d-444a-0410-be80-ed276b4c234a
79f22cd6 · mindless · 64cb39fe · 79f22cd6 · 79f22cd6 · 79f22cd6
3 changed file
--- a/core/src/main/java/hudson/model/Hudson.java
+++ b/core/src/main/java/hudson/model/Hudson.java
@@ -1796,9 +1796,12 @@ public final class Hudson extends Node implements ItemGroup<TopLevelItem>, Stapl
     *      Used only for mapping jobs to URL in a case-insensitive fashion.
     */
    public TopLevelItem getJobCaseInsensitive(String name) {
+        String match = Functions.toEmailSafeString(name);
        for (Entry<String, TopLevelItem> e : items.entrySet()) {
-            if(Functions.toEmailSafeString(e.getKey()).equalsIgnoreCase(Functions.toEmailSafeString(name)))
-                return e.getValue();
+            if(Functions.toEmailSafeString(e.getKey()).equalsIgnoreCase(match)) {
+                TopLevelItem item = e.getValue();
+                return item.hasPermission(Item.READ) ? item : null;
+            }
        }
        return null;
    }

--- a/test/src/test/java/hudson/model/JobTest.java
+++ b/test/src/test/java/hudson/model/JobTest.java
@@ -23,6 +23,7 @@
 */
 package hudson.model;

+import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
 import com.gargoylesoftware.htmlunit.WebAssert;
 import com.gargoylesoftware.htmlunit.html.HtmlPage;

@@ -30,6 +31,7 @@ import hudson.util.TextFile;
 import java.io.IOException;
 import java.util.concurrent.CountDownLatch;
 import org.jvnet.hudson.test.HudsonTestCase;
+import org.jvnet.hudson.test.recipes.LocalData;

 /**
 * @author Kohsuke Kawaguchi
@@ -157,4 +159,20 @@ public class JobTest extends HudsonTestCase {
            }
        }
    }
+
+    @LocalData
+    public void testReadPermission() throws Exception {
+        WebClient wc = new WebClient();
+        try {
+            HtmlPage page = wc.goTo("/job/testJob/");
+            fail("getJob bypassed READ permission: " + page.getTitleText() + page.getBody().asText());
+        } catch (FailingHttpStatusCodeException expected) { }
+        try {
+            HtmlPage page = wc.goTo("/jobCaseInsensitive/testJob/");
+            fail("getJobCaseInsensitive bypassed READ permission: " + page.getTitleText());
+        } catch (FailingHttpStatusCodeException expected) { }
+        wc.login("joe");  // Has Item.READ permission
+        wc.goTo("/job/testJob/");
+        wc.goTo("/jobCaseInsensitive/TESTJOB/");
+    }
 }
--- a/test/src/test/resources/hudson/model/JobTest/testReadPermission.zip
+++ b/test/src/test/resources/hudson/model/JobTest/testReadPermission.zip