From ebe3d6f5b8204bccd856c8c814ba625fb9bfdde2 Mon Sep 17 00:00:00 2001 From: Jesse Glick Date: Thu, 22 Dec 2022 17:10:23 -0500 Subject: [PATCH] Check Run/Replay permission if defined --- src/main/java/jenkins/scm/impl/TrustworthyBuilds.java | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/main/java/jenkins/scm/impl/TrustworthyBuilds.java b/src/main/java/jenkins/scm/impl/TrustworthyBuilds.java index 1f2de667..9eec6564 100644 --- a/src/main/java/jenkins/scm/impl/TrustworthyBuilds.java +++ b/src/main/java/jenkins/scm/impl/TrustworthyBuilds.java @@ -27,6 +27,7 @@ import hudson.Extension; import hudson.model.Cause; import hudson.model.Item; +import hudson.model.Run; import hudson.model.User; import jenkins.scm.api.TrustworthyBuild; import org.springframework.security.core.userdetails.UsernameNotFoundException; @@ -53,12 +54,15 @@ public static TrustworthyBuild byUserId() { return false; } try { - // TODO could also have workflow-cps offer this to anyone with only ReplayAction.REPLAY - if (build.hasPermission2(user.impersonate2(), Item.CONFIGURE)) { + var permission = Run.PERMISSIONS.find("Replay"); // ReplayAction.REPLAY + if (permission == null) { // no workflow-cps + permission = Item.CONFIGURE; + } + if (build.hasPermission2(user.impersonate2(), permission)) { listener.getLogger().printf("Trusting build since it was started by user ‘%s’%n", userId); return true; } else { - listener.getLogger().printf("Not trusting build since user ‘%s’ lacks Job/Configure permission%n", userId); + listener.getLogger().printf("Not trusting build since user ‘%s’ lacks %s/%s permission%n", userId, permission.group.title, permission.name); return false; } } catch (UsernameNotFoundException x) {