[JENKINS-14546] Regular users (others than admin) can't see any nested-views (other than the default one) with role-based authorization strategy activated

[timja]

When Role-based Authorization Strategy is applied to Jobs, users others than admin can see their jobs but can't see any Nested-Views (or sub-Nested-views) other than the default one. Only admin user can see all nested views.

---

Originally reported by aherbe, imported from: Regular users (others than admin) can't see any nested-views (other than the default one) with role-based authorization strategy activated

• assignee: mindless
• status: Reopened
• priority: Major
• resolution: Unresolved
• imported: 2022/01/10

[timja]

aherbe:

Users have "Read" rights on "View" item but don't have "Configure" rights on "View" item. When "Configure" rights on "View" item is checked, regular users can see any nested-views but this configuration is unsafe.

[timja]

aherbe:

I think upgrade Jenkins to version 1.467 or greater, will resolve this problem (like it will be mentionned into JENKINS-13429, can you confirm this ?

[timja]

jroyer:

I have the same problen on my own Jenkins server (Jenkins v1.480, nested View Plugin v1.9).
I'm admin and I see all nested views. But my regular users can't see it.

[timja]

martinkutter:

Problem still remains with Jenkins-1.483, Nested View Plugin 1.8, and 1.9, role-strategy 1.1.2.

Without View.READ permissions, nested views are not shown as tabs, but can be accessed if the URL's guessed correctly.

[timja]

martinkutter:

I think this is due to how Jenkins handles read permissions in Views.

In hudson.security.AuthorizationStrategy#getACL, there's the following code:

if (!hasPermission && permission == View.READ) {
    return base.hasPermission(a,View.CONFIGURE) || !item.getItems().isEmpty();
}

The problem here is that for a nested view containing views (and no Jobs), item.getItems().isEmpty() is always true (getItems() only returns TopLevelElements - which [nested] views are not).

One way to fix this could be to introduce a isEmpty() method in hudson.model.Views - which would return this.getItems.isEmpty(). Subclasses like NestedView from the Nested Views Plugin could override this method, and return true if any of the contained views is not empty.

[timja]

lmcazra:

We are facing the same problem (Jenkins LTS 1.466.2 & Nested View 1.9) [using Project-based Matrix Authorization Strategy]
Even if View.READ permission is granted, nested views are not visible to regular (non-admin) users;
As a workaround, we have emailed the affected users the URL to the view (eg: http://jenkins_server/view/VIEWNAME)
[Note: This issue was not visible when we were running Jenkins 1.450 / Nested view plugin 1.8]

[timja]

jglick:

JENKINS-13429 was fixed in 1.467. @martinkutter your comment about getACL is missing the point, which is that you need to grant View.READ for people to see the views. The block you quote is only for backward compatibility with old versions of Jenkins that did not define View.READ at all.

[timja]

martinkutter:

The issue is not fixed in Jenkins 1.467.

I'm on 1.480.3-LTS with Role Strategy plugin 1.1.2 and Nested View Plugin 1.8.

We have several top-level-views, which are only shown, when a user has the (global) View.READ permission. They are not shown as tabs in the UI, but can be accesed by directly invoking the view's URL. These views are of the type "Nested View" and do not contain other jobs.

This means that the "backward compatibility" trick in JENKINS-3681 does not work, when a view contains only other views (and no jobs).

A user can either see all views (by means of the View.READ) permission, or only views containing Jobs.

[timja]

brainbug:

I'm on 1.480.3-LTS with Role Strategy plugin 1.1.2 and Nested View Plugin 1.9.

Martin Kutter: "These views are of the type "Nested View" and do not contain other jobs"
=> I created a dummy job on my nested view as a direct child but still the nested view is not visible for users who have the rights.

But yes, if you know the Links (of the Job, the Nested View or a Subview) you have access to them.

[timja]

ntshako:

We have the same problems when using both of the plugins.

Jenkins v1.518
Role-based Authorization Strategy Plugin v1.1.2
Nested View Plugin v1.10

regardless if the jobs of the nested views have jobs or not. Users with standard permissions cannot access the nested Views and only see those jobs through the All view.
Would be great if anybody fixes this, because I don't want to grant every user the admin permissions to see all views..

[timja]

yoichi:

What is the remaining problem?

A user assigned to role with Overall.Read & Job.Read & View.Read
can see nested views.

Tested on

• Jenkins 1.538
• Role-based Authorization Strategy 2.1.0
• Nested View Plugin 1.13

[timja]

mateofacu:

Yoichi the problem is that we don't want to give that kind of permission to all users.
A standar user with just a job specific permission (not global) should view the tab if it contains any allowed job in a subview

[timja]

yoichi:

Facundo,
The behavior described in my previous post is same for ListView and AllView,
then the remaining problem is not specific to NestedView.

[timja]

oblongzebra:

Small workaround, if you have a link for the page, a normal user can access the page. (btw we are using 1.534 and are experiencing this problem)

[timja]

s0undt3ch:

Using 1.5.45, this is still present for, at least, list views.

[timja]

jroyer:

Issue is still present in 1.549!!!

I have a nested view, with one sub-view (type list view).

Admin users can see nested view and its sub-view, and all jobs associated with it.
Regulars users (with only Global Read permission), can't see the nested view. But they can see jobs in the tab "All".

The only way I found is to assign View Read Permission to regulars users. But they can see all views, even those without jobs.

[timja]

mcklaus:

I'm not sure yet, but we recently discovered that the folder plugin (there is also a non-enterprise one) could maybe become handy in these cases instead of using the nested view plugin. hth

[timja]

harrygg:

True, we also use Folders Plugin. It avoids this bug, but introduces a different concept - with some other advantages, but lots of changes.

[timja]

mulder847:

i created a pull request to fix this bug: https://github.com/jenkinsci/nested-view-plugin/pull/20

the fix involves implementing the hasPermission method in the nestedview class. the method checks if any of the containing sub views returns true for hasPermission, if none returned true, it calls super.hasPermission. this allows configuration of empty nested views.

[timja]

[Duplicates: JENKINS-13429]