Matrix security username/groupname validation required admin permission

even in project-specific permissions.. now require CONFIGURE permission on project
when validating in project settings.


git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@15080 71c3de6d-444a-0410-be80-ed276b4c234a

core/src/main/java/hudson/security/AuthorizationMatrixProperty.java

 package hudson.security;
 
+import hudson.model.AbstractProject;
 import hudson.model.Item;
 import hudson.model.Job;
 import hudson.model.JobProperty;
@@ -20,6 +21,7 @@ import net.sf.json.JSONObject;
 
 import org.acegisecurity.acls.sid.Sid;
 import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.QueryParameter;
 
 import com.thoughtworks.xstream.converters.Converter;
@@ -139,10 +141,10 @@ public class AuthorizationMatrixProperty extends JobProperty<Job<?, ?>> {
             return p!=Item.CREATE;
         }
 
-        public void doCheckName(@QueryParameter String value) throws IOException, ServletException {
-            GlobalMatrixAuthorizationStrategy.DESCRIPTOR.doCheckName(value);
+        public void doCheckName(StaplerRequest req, StaplerResponse res, @QueryParameter String value) throws IOException, ServletException {
+            GlobalMatrixAuthorizationStrategy.DESCRIPTOR.doCheckName(value, req.findAncestorObject(AbstractProject.class), AbstractProject.CONFIGURE);
         }
-	}
+    }
 
 	private final class AclImpl extends SidACL {
 		protected Boolean hasPermission(Sid sid, Permission p) {

core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java

@@ -224,8 +224,12 @@ public class GlobalMatrixAuthorizationStrategy extends AuthorizationStrategy {
         }
 
         public void doCheckName(@QueryParameter String value ) throws IOException, ServletException {
+            doCheckName(value, Hudson.getInstance(), Hudson.ADMINISTER);
+        }
+
+        void doCheckName(String value, AccessControlled subject, Permission permission) throws IOException, ServletException {
             final String v = value.substring(1,value.length()-1);
-            new FormFieldValidator(Hudson.ADMINISTER) {
+            new FormFieldValidator(subject, permission) {
                 protected void check() throws IOException, ServletException {
                     SecurityRealm sr = Hudson.getInstance().getSecurityRealm();
                     String ev = Functions.escape(v);

core/src/main/resources/hudson/security/AuthorizationMatrixProperty/config.jelly

 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
   <f:optionalBlock name="useProjectSecurity" title="${%Enable project-based security}" checked="${instance.isUseProjectSecurity()}">
+    <j:set var="descriptorPath" value="descriptorByName/AuthorizationMatrixProperty" />
     <st:include page="/hudson/security/GlobalMatrixAuthorizationStrategy/config.jelly" />
   </f:optionalBlock>
-</j:jelly>
\ No newline at end of file
+</j:jelly>

core/src/main/resources/hudson/security/GlobalMatrixAuthorizationStrategy/config.jelly

@@ -121,9 +121,12 @@
           }
           e = null; <!-- avoid memory leak -->
         },
+        <j:if test="${empty(descriptorPath)}">
+          <j:set var="descriptorPath" value="${rootURL}/descriptor/${descriptor.clazz.name}"/>
+        </j:if>
         <!-- validates the name -->
         "#${strategyid} TR.permission-row" : function(e) {
-          FormChecker.delayedCheck("${rootURL}/descriptor/${descriptor.clazz.name}/checkName?value="+encode(e.getAttribute("name")),"GET",e.firstChild);
+          FormChecker.delayedCheck("${descriptorPath}/checkName?value="+encode(e.getAttribute("name")),"GET",e.firstChild);
         }
       });
     </script>