Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWinston Prakash2014-05-29 00:52:05 -0400
committerWinston Prakash2014-05-29 00:52:05 -0400
commit7fbe196540356c5bf70b1ee64d50210dae7f963b (patch)
treeb68f99278954c4b59acc74fcffd2854af1f346e4
parent65e9e4119287518819fadcfd543a718c3599fb37 (diff)
downloadorg.eclipse.hudson.core-7fbe196540356c5bf70b1ee64d50210dae7f963b.tar.gz
org.eclipse.hudson.core-7fbe196540356c5bf70b1ee64d50210dae7f963b.tar.xz
org.eclipse.hudson.core-7fbe196540356c5bf70b1ee64d50210dae7f963b.zip
Phase 3 of View/Node isolation implementation. The team owned views are shown when a team member is logged in. Also based on the Team member permission, the create/delete/configure view is allowed.
-rw-r--r--hudson-core/src/main/java/hudson/model/Hudson.java27
-rw-r--r--hudson-core/src/main/java/hudson/model/View.java48
-rw-r--r--hudson-core/src/main/java/org/eclipse/hudson/security/team/TeamBasedACL.java28
-rw-r--r--hudson-core/src/main/java/org/eclipse/hudson/security/team/TeamManager.java16
-rw-r--r--hudson-core/src/main/java/org/eclipse/hudson/security/team/TeamMember.java6
5 files changed, 116 insertions, 9 deletions
diff --git a/hudson-core/src/main/java/hudson/model/Hudson.java b/hudson-core/src/main/java/hudson/model/Hudson.java
index 3235cfa0..c686614d 100644
--- a/hudson-core/src/main/java/hudson/model/Hudson.java
+++ b/hudson-core/src/main/java/hudson/model/Hudson.java
@@ -155,6 +155,7 @@ import java.util.concurrent.LinkedBlockingQueue;
import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
+import java.util.logging.Level;
import java.util.logging.LogRecord;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -176,6 +177,7 @@ import org.eclipse.hudson.plugins.PluginCenter;
import org.eclipse.hudson.script.ScriptSupport;
import org.eclipse.hudson.security.HudsonSecurityEntitiesHolder;
import org.eclipse.hudson.security.HudsonSecurityManager;
+import org.eclipse.hudson.security.team.Team;
import org.eclipse.hudson.security.team.TeamManager;
import org.jvnet.hudson.reactor.Executable;
import org.jvnet.hudson.reactor.Milestone;
@@ -1443,7 +1445,23 @@ public final class Hudson extends Node implements ItemGroup<TopLevelItem>, Stapl
* Gets the read-only list of all {@link View}s.
*/
@Exported
+ @Override
public synchronized Collection<View> getViews() {
+ List<View> copy = new ArrayList<View>();
+ if (this.isTeamManagementEnabled()) {
+ for (View view : views) {
+ if (view.hasPermission(View.READ)) {
+ copy.add(view);
+ }
+ }
+ } else {
+ copy.addAll(views);
+ }
+ Collections.sort(copy, View.SORTER);
+ return copy;
+ }
+
+ public synchronized Collection<View> getAllViews() {
List<View> copy = new ArrayList<View>(views);
Collections.sort(copy, View.SORTER);
return copy;
@@ -1847,6 +1865,15 @@ public final class Hudson extends Node implements ItemGroup<TopLevelItem>, Stapl
public void onViewRenamed(View view, String oldName, String newName) {
// implementation of Hudson is immune to view name change.
+ TeamManager teamManager = Hudson.getInstance().getTeamManager();
+ if (!teamManager.isTeamManagementEnabled()) {
+ try {
+ Team team = teamManager.findViewOwnerTeam(oldName);
+ teamManager.renameView(team, oldName, newName);
+ } catch (IOException ex) {
+ logger.warn("Failed to rename view in team.", ex);
+ }
+ }
}
@Override
diff --git a/hudson-core/src/main/java/hudson/model/View.java b/hudson-core/src/main/java/hudson/model/View.java
index e0411c39..3149fbf2 100644
--- a/hudson-core/src/main/java/hudson/model/View.java
+++ b/hudson-core/src/main/java/hudson/model/View.java
@@ -15,12 +15,12 @@
package hudson.model;
-import static hudson.model.Hudson.checkGoodName;
import hudson.DescriptorExtensionList;
import hudson.Extension;
import hudson.ExtensionPoint;
import hudson.Util;
import hudson.model.Descriptor.FormException;
+import static hudson.model.Hudson.checkGoodName;
import hudson.model.Node.Mode;
import hudson.scm.ChangeLogSet.Entry;
import hudson.search.CollectionSearchIndex;
@@ -31,7 +31,6 @@ import hudson.util.BuildHistoryList;
import hudson.util.DescriptorList;
import hudson.util.RunList;
import hudson.widgets.Widget;
-
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
@@ -44,10 +43,11 @@ import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
-
import javax.servlet.ServletException;
import org.eclipse.hudson.security.HudsonSecurityEntitiesHolder;
-
+import org.eclipse.hudson.security.team.Team;
+import org.eclipse.hudson.security.team.TeamManager;
+import org.eclipse.hudson.security.team.TeamManager.TeamNotFoundException;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.kohsuke.stapler.export.Exported;
@@ -613,6 +613,7 @@ public abstract class View extends AbstractModelObject implements AccessControll
checkPermission(DELETE);
owner.deleteView(this);
+ removeFromTeam(getViewName());
rsp.sendRedirect2(req.getContextPath() + "/" + owner.getUrl());
}
@@ -716,10 +717,49 @@ public abstract class View extends AbstractModelObject implements AccessControll
// create a view
View v = all().findByName(mode).newInstance(req, req.getSubmittedForm());
v.owner = owner;
+
+ //TODO: Get teamname to add from view creation UI
+ addToTeam(v.getViewName(), null);
// redirect to the config screen
rsp.sendRedirect2(req.getContextPath() + '/' + v.getUrl() + v.getPostConstructLandingPage());
return v;
}
+
+ private static void addToTeam(String name, String teamName) throws IOException {
+ TeamManager teamManager = Hudson.getInstance().getTeamManager();
+ if (!teamManager.isTeamManagementEnabled()) {
+ if (teamName != null) {
+ throw new IOException("Team management is not enabled");
+ }
+ }
+ Team team = null;
+ if (teamName == null) {
+ try {
+ team = teamManager.findCurrentUserTeamForNewView();
+ } catch (TeamNotFoundException ex) {
+ // Shouldn't happen, as user is already confirmed for Job.CREATE
+
+ }
+ } else {
+ try {
+ team = teamManager.findTeam(teamName);
+ } catch (TeamNotFoundException e) {
+ throw new IOException("Team " + teamName + " does not exist");
+ }
+ }
+ try {
+ teamManager.addView(team, name);
+ } catch (TeamNotFoundException ex) {
+ throw new IOException("Team " + teamName + " does not exist");
+ }
+ }
+
+ private void removeFromTeam(String name) throws IOException {
+ TeamManager teamManager = Hudson.getInstance().getTeamManager();
+ if (teamManager.isTeamManagementEnabled()) {
+ teamManager.removeView(name);
+ }
+ }
}
diff --git a/hudson-core/src/main/java/org/eclipse/hudson/security/team/TeamBasedACL.java b/hudson-core/src/main/java/org/eclipse/hudson/security/team/TeamBasedACL.java
index 2418bf91..335f96d2 100644
--- a/hudson-core/src/main/java/org/eclipse/hudson/security/team/TeamBasedACL.java
+++ b/hudson-core/src/main/java/org/eclipse/hudson/security/team/TeamBasedACL.java
@@ -13,7 +13,6 @@ package org.eclipse.hudson.security.team;
import hudson.model.Computer;
import hudson.model.Item;
import hudson.model.Job;
-import hudson.model.Node;
import hudson.model.View;
import hudson.security.Permission;
import hudson.security.SecurityRealm;
@@ -103,6 +102,15 @@ public class TeamBasedACL extends SidACL {
}
}
}
+ // Member of any of the team with View CREATE Permission can create View
+ if (permission == View.CREATE) {
+ for (Team userTeam : teamManager.findUserTeams(userName)) {
+ TeamMember member = userTeam.findMember(userName);
+ if ((member != null) && member.hasPermission(View.CREATE)) {
+ return true;
+ }
+ }
+ }
}
if (scope == SCOPE.TEAM) {
// Sysadmin gets to do all team maintenance operations
@@ -158,9 +166,23 @@ public class TeamBasedACL extends SidACL {
if (scope == SCOPE.VIEW) {
Team viewTeam = teamManager.findViewOwnerTeam(view.getViewName());
+
+ // Member of any of the team with View CREATE Permission can create View
+ if (permission == View.CREATE) {
+ for (Team userTeam : teamManager.findUserTeams(userName)) {
+ TeamMember member = userTeam.findMember(userName);
+ if ((member != null) && member.hasPermission(View.CREATE)) {
+ return true;
+ }
+ }
+ }
if (viewTeam != null) {
if (viewTeam.isMember(userName)) {
+ // All members of the team get read permission
+ if (permission == View.READ) {
+ return true;
+ }
TeamMember member = viewTeam.findMember(userName);
return member.hasPermission(permission);
}
@@ -179,6 +201,10 @@ public class TeamBasedACL extends SidACL {
if (nodeTeam != null) {
if (nodeTeam.isMember(userName)) {
+ // All members of the team get read permission
+ if (permission == View.READ) {
+ return true;
+ }
TeamMember member = nodeTeam.findMember(userName);
return member.hasPermission(permission);
}
diff --git a/hudson-core/src/main/java/org/eclipse/hudson/security/team/TeamManager.java b/hudson-core/src/main/java/org/eclipse/hudson/security/team/TeamManager.java
index 7917b59b..c9a57571 100644
--- a/hudson-core/src/main/java/org/eclipse/hudson/security/team/TeamManager.java
+++ b/hudson-core/src/main/java/org/eclipse/hudson/security/team/TeamManager.java
@@ -880,7 +880,7 @@ public final class TeamManager implements Saveable, AccessControlled {
if (!isCurrentUserSysAdmin()) {
throw new RuntimeException(getCurrentUser() + " is not a System Administrator");
}
- for (View view : hudson.getViews()) {
+ for (View view : hudson.getAllViews()) {
String viewName = view.getViewName();
// Ensure views belong to public team if no other team own them
if (findViewOwnerTeam(viewName) == null){
@@ -1296,6 +1296,18 @@ public final class TeamManager implements Saveable, AccessControlled {
}
throw new TeamNotFoundException("User does not have create permission in any team");
}
+
+ public Team findCurrentUserTeamForNewView() throws TeamNotFoundException {
+ // This will only find explicit team members with create permission
+ List<Team> currentUserTeamsWithPermission = getCurrentUserTeamsWithPermission(View.CREATE);
+ if (!currentUserTeamsWithPermission.isEmpty()) {
+ return currentUserTeamsWithPermission.get(0);
+ }
+ if (isCurrentUserSysAdmin()) {
+ return publicTeam;
+ }
+ throw new TeamNotFoundException("User does not have create permission in any team");
+ }
/**
* Get the current user team qualified Id for the job name
@@ -1640,7 +1652,7 @@ public final class TeamManager implements Saveable, AccessControlled {
Hudson hudson = Hudson.getInstance();
//Null during initial setup
if (hudson != null) {
- for (View view : hudson.getViews()) {
+ for (View view : hudson.getAllViews()) {
TeamView teamView = new TeamView(view.getViewName());
if (view instanceof AllView) {
teamView.setMoveAllowed(false);
diff --git a/hudson-core/src/main/java/org/eclipse/hudson/security/team/TeamMember.java b/hudson-core/src/main/java/org/eclipse/hudson/security/team/TeamMember.java
index 1e1237a9..51a5f946 100644
--- a/hudson-core/src/main/java/org/eclipse/hudson/security/team/TeamMember.java
+++ b/hudson-core/src/main/java/org/eclipse/hudson/security/team/TeamMember.java
@@ -204,13 +204,15 @@ public class TeamMember {
teamAdminGrantedPermissions.add(Item.BUILD);
teamAdminGrantedPermissions.add(Item.WORKSPACE);
+ teamAdminGrantedPermissions.add(View.READ);
teamAdminGrantedPermissions.add(View.CREATE);
teamAdminGrantedPermissions.add(View.CONFIGURE);
teamAdminGrantedPermissions.add(View.DELETE);
+ teamAdminGrantedPermissions.add(Computer.READ);
teamAdminGrantedPermissions.add(Computer.CREATE);
- teamAdminGrantedPermissions.add(View.DELETE);
- teamAdminGrantedPermissions.add(View.CONFIGURE);
+ teamAdminGrantedPermissions.add(Computer.DELETE);
+ teamAdminGrantedPermissions.add(Computer.CONFIGURE);
}
List<String> getPermissions() {

Back to the top