Merge pull request #4573 from daniel-beck/JENKINS-61465

[JENKINS-61465] Make checkAnyPermission work on non-AccessControlled

Merge pull request #4573 from daniel-beck/JENKINS-61465
[JENKINS-61465] Make checkAnyPermission work on non-AccessControlled
bdff7475 · Tim Jacomb · GitHub · 6de7e5fc · 7259d869 · bdff7475
3 changed file
--- a/core/src/main/java/hudson/Functions.java
+++ b/core/src/main/java/hudson/Functions.java
@@ -1172,6 +1172,31 @@ public class Functions {
        ac.checkAnyPermission(permissions);
    }

+    /**
+     * This version is so that the 'checkAnyPermission' on {@code layout.jelly}
+     * degrades gracefully if "it" is not an {@link AccessControlled} object.
+     * Otherwise it will perform no check and that problem is hard to notice.
+     */
+    public static void checkAnyPermission(Object object, Permission[] permissions) throws IOException, ServletException {
+        if (permissions == null || permissions.length == 0) {
+            return;
+        }
+
+        if (object instanceof AccessControlled)
+            checkAnyPermission((AccessControlled) object, permissions);
+        else {
+            List<Ancestor> ancs = Stapler.getCurrentRequest().getAncestors();
+            for(Ancestor anc : Iterators.reverse(ancs)) {
+                Object o = anc.getObject();
+                if (o instanceof AccessControlled) {
+                    checkAnyPermission((AccessControlled) o, permissions);
+                    return;
+                }
+            }
+            checkAnyPermission(Jenkins.get(), permissions);
+        }
+    }
+
    private static class Tag implements Comparable<Tag> {
        double ordinal;
        String hierarchy;

--- a/test/src/test/java/hudson/security/ACLTest.java
+++ b/test/src/test/java/hudson/security/ACLTest.java
@@ -24,8 +24,10 @@

 package hudson.security;

+import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
 import hudson.model.FreeStyleProject;
 import hudson.model.Item;
+import hudson.model.UnprotectedRootAction;
 import hudson.model.User;
 import java.util.Collection;
 import java.util.Collections;
@@ -39,6 +41,9 @@ import org.junit.rules.ExpectedException;
 import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.MockAuthorizationStrategy;
+import org.jvnet.hudson.test.TestExtension;
+
+import javax.annotation.CheckForNull;

 public class ACLTest {

@@ -121,6 +126,29 @@ public class ACLTest {
        r.jenkins.getACL().checkAnyPermission();
    }

+    @Test
+    @Issue("JENKINS-61465")
+    public void checkAnyPermissionOnNonAccessControlled() throws Exception {
+        expectedException = ExpectedException.none();
+
+        r.jenkins.setSecurityRealm(r.createDummySecurityRealm());
+        r.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+                .grant(Jenkins.READ).everywhere().toEveryone());
+
+        JenkinsRule.WebClient wc = r.createWebClient();
+        try {
+            wc.goTo("either");
+            fail();
+        } catch (FailingHttpStatusCodeException ex) {
+            assertEquals(403, ex.getStatusCode());
+        }
+
+        r.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+                .grant(Jenkins.ADMINISTER).everywhere().toEveryone());
+
+        wc.goTo("either"); // expected to work
+    }
+
    private static class DoNotBotherMe extends AuthorizationStrategy {

        @Override
@@ -140,4 +168,26 @@ public class ACLTest {

    }

+    @TestExtension
+    public static class EitherPermission implements UnprotectedRootAction {
+
+        @CheckForNull
+        @Override
+        public String getIconFileName() {
+            return null;
+        }
+
+        @CheckForNull
+        @Override
+        public String getDisplayName() {
+            return null;
+        }
+
+        @CheckForNull
+        @Override
+        public String getUrlName() {
+            return "either";
+        }
+    }
+
 }
--- a/test/src/test/resources/hudson/security/ACLTest/EitherPermission/index.jelly
+++ b/test/src/test/resources/hudson/security/ACLTest/EitherPermission/index.jelly
+<!--
+The MIT License
+
+Copyright (c) 2011, CloudBees, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+-->
+
+<!-- 3rd party license acknowledgements and  -->
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:s="/lib/form">
+<l:layout permissions="${app.MANAGE_AND_SYSTEM_READ}" type="one-column" title="Hello">
+    <l:main-panel>
+        <div class="container-fluid">
+            <div class="row">
+                <div class="col-md-24">
+                    <h1>Hello, world!</h1>
+                </div>
+            </div>
+        </div>
+    </l:main-panel>
+</l:layout>
+</j:jelly>