Skip to content

Commit 3632634

Browse files
kohsukekohsuke
committed
escalate privilege so that we can see read protected projects as well
1 parent 5bab212 commit 3632634

1 file changed

Lines changed: 21 additions & 9 deletions

File tree

src/main/java/com/cloudbees/jenkins/GitHubWebHook.java

Lines changed: 21 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,12 @@
77
import hudson.model.Hudson;
88
import hudson.model.RootAction;
99
import hudson.model.UnprotectedRootAction;
10+
import hudson.security.ACL;
1011
import hudson.util.AdaptedIterator;
1112
import hudson.util.Iterators.FilterIterator;
1213
import net.sf.json.JSONObject;
14+
import org.acegisecurity.Authentication;
15+
import org.acegisecurity.context.SecurityContextHolder;
1316
import org.kohsuke.github.GitHub;
1417
import org.kohsuke.stapler.StaplerRequest;
1518

@@ -152,16 +155,25 @@ public void doIndex(StaplerRequest req) {
152155
LOGGER.fine("Full details of the POST was "+o.toString());
153156
Matcher matcher = REPOSITORY_NAME_PATTERN.matcher(repoUrl);
154157
if (matcher.matches()) {
155-
GitHubRepositoryName changedRepository = new GitHubRepositoryName(matcher.group(1), ownerName, repoName);
156-
for (AbstractProject<?,?> job : Hudson.getInstance().getAllItems(AbstractProject.class)) {
157-
GitHubPushTrigger trigger = job.getTrigger(GitHubPushTrigger.class);
158-
if (trigger!=null) {
159-
LOGGER.fine("Considering to poke "+job.getFullDisplayName());
160-
if (trigger.getGitHubRepositories().contains(changedRepository))
161-
trigger.onPost();
162-
else
163-
LOGGER.fine("Skipped "+job.getFullDisplayName()+" because it doesn't have a matching repository.");
158+
// run in high privilege to see all the projects anonymous users don't see.
159+
// this is safe because when we actually schedule a build, it's a build that can
160+
// happen at some random time anyway.
161+
Authentication old = SecurityContextHolder.getContext().getAuthentication();
162+
SecurityContextHolder.getContext().setAuthentication(ACL.SYSTEM);
163+
try {
164+
GitHubRepositoryName changedRepository = new GitHubRepositoryName(matcher.group(1), ownerName, repoName);
165+
for (AbstractProject<?,?> job : Hudson.getInstance().getAllItems(AbstractProject.class)) {
166+
GitHubPushTrigger trigger = job.getTrigger(GitHubPushTrigger.class);
167+
if (trigger!=null) {
168+
LOGGER.fine("Considering to poke "+job.getFullDisplayName());
169+
if (trigger.getGitHubRepositories().contains(changedRepository))
170+
trigger.onPost();
171+
else
172+
LOGGER.fine("Skipped "+job.getFullDisplayName()+" because it doesn't have a matching repository.");
173+
}
164174
}
175+
} finally {
176+
SecurityContextHolder.getContext().setAuthentication(old);
165177
}
166178
} else {
167179
LOGGER.warning("Malformed repo url "+repoUrl);

0 commit comments

Comments
 (0)