defined the 'SYSTEM' user.

git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@7203 71c3de6d-444a-0410-be80-ed276b4c234a

defined the 'SYSTEM' user.
git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@7203 71c3de6d-444a-0410-be80-ed276b4c234a
ba2d2c3c · kohsuke · 68eabb63 · ba2d2c3c · ba2d2c3c · ba2d2c3c
3 changed file
--- a/core/src/main/java/hudson/security/ACL.java
+++ b/core/src/main/java/hudson/security/ACL.java
@@ -2,6 +2,7 @@ package hudson.security;

 import org.acegisecurity.AccessDeniedException;
 import org.acegisecurity.Authentication;
+import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 import org.acegisecurity.acls.sid.PrincipalSid;
 import org.acegisecurity.acls.sid.Sid;
 import org.acegisecurity.context.SecurityContextHolder;
@@ -40,6 +41,10 @@ public abstract class ACL {

    /**
     * Checks if the given principle has the given permission.
+     *
+     * <p>
+     * Note that {@link #SYSTEM} can be passed in as the authentication parameter,
+     * in which case you should probably just assume it has every permission.
     */
    public abstract boolean hasPermission(Authentication a, Permission permission);

@@ -64,4 +69,18 @@ public abstract class ACL {
     * regardless of the current {@link SecurityRealm} in use.
     */
    public static final Sid ANONYMOUS = new PrincipalSid("anonymous");
+
+    /**
+     * {@link Sid} that represents the Hudson itself.
+     * <p>
+     * This is used when Hudson is performing computation for itself, instead
+     * of acting on behalf of an user, such as doing builds.
+     *
+     * <p>
+     * Technically speaking, this is probably a broken concept, because Hudson never
+     * does anything on its own; for example, it builds a project because someone
+     * configures it or someone triggers it, so ideally Hudson should be impersonating
+     * that user when executing things.
+     */
+    public static final Authentication SYSTEM = new UsernamePasswordAuthenticationToken("SYSTEM","SYSTEM");
 }
--- a/core/src/main/java/hudson/security/SidACL.java
+++ b/core/src/main/java/hudson/security/SidACL.java
@@ -16,6 +16,7 @@ public abstract class SidACL extends ACL {

    @Override
    public boolean hasPermission(Authentication a, Permission permission) {
+        if(a==SYSTEM)   return true;
        Boolean b = _hasPermission(a,permission);
        if(b==null) b=false;    // default to rejection
        return b;

--- a/core/src/main/java/hudson/security/SparseACL.java
+++ b/core/src/main/java/hudson/security/SparseACL.java
@@ -44,6 +44,7 @@ public class SparseACL extends SidACL {
    }

    public boolean hasPermission(Authentication a, Permission permission) {
+        if(a==SYSTEM)   return true;
        Boolean b = _hasPermission(a,permission);
        if(b!=null) return b;