[JENKINS-62183] Allow user with Jenkins.MANAGE to access global config

pom.xml

@@ -29,7 +29,7 @@
     <changelist>-SNAPSHOT</changelist>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <argLine>-Dfile.encoding=${project.build.sourceEncoding}</argLine>
-    <jenkins.version>2.204.1</jenkins.version>
+    <jenkins.version>2.222.1</jenkins.version>
     <java.level>8</java.level>
     <no-test-jar>false</no-test-jar>
     <useBeta>true</useBeta>

src/main/java/hudson/plugins/git/GitSCM.java

@@ -50,6 +50,7 @@
 import hudson.scm.SCMDescriptor;
 import hudson.scm.SCMRevisionState;
 import hudson.security.ACL;
+import hudson.security.Permission;
 import hudson.tasks.Builder;
 import hudson.tasks.Publisher;
 import hudson.triggers.SCMTrigger;
@@ -79,6 +80,7 @@
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.export.Exported;
 
+import javax.annotation.Nonnull;
 import javax.servlet.ServletException;
 
 import java.io.File;
@@ -1480,6 +1482,12 @@ public DescriptorImpl() {
             load();
         }
 
+        @Nonnull
+        @Override
+        public Permission getRequiredGlobalConfigPagePermission() {
+            return Jenkins.MANAGE;
+        }
+
         public boolean isShowEntireCommitSummaryInChanges() {
             return showEntireCommitSummaryInChanges;
         }

src/test/java/hudson/plugins/git/GitSCMTest.java

@@ -16,6 +16,7 @@
 
 import hudson.EnvVars;
 import hudson.FilePath;
+import hudson.Functions;
 import hudson.Launcher;
 import hudson.matrix.Axis;
 import hudson.matrix.AxisList;
@@ -41,6 +42,8 @@
 import hudson.scm.PollingResult;
 import hudson.scm.PollingResult.Change;
 import hudson.scm.SCMRevisionState;
+import hudson.security.ACL;
+import hudson.security.ACLContext;
 import hudson.slaves.DumbSlave;
 import hudson.slaves.EnvironmentVariablesNodeProperty.Entry;
 import hudson.tools.ToolLocationNodeProperty;
@@ -63,6 +66,7 @@
 import org.junit.Ignore;
 import org.junit.Rule;
 import org.junit.Test;
+import org.jvnet.hudson.test.MockAuthorizationStrategy;
 import org.jvnet.hudson.test.TestExtension;
 
 import java.io.File;
@@ -148,6 +152,32 @@ private StandardCredentials getInvalidCredential() {
         return new UsernamePasswordCredentialsImpl(scope, id, "desc: " + id, username, password);
     }
 
+    @Test
+    public void manageShouldAccessGlobalConfig() {
+        final String USER = "user";
+        final String MANAGER = "manager";
+        rule.jenkins.setSecurityRealm(rule.createDummySecurityRealm());
+        rule.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+                                                   // Read access
+                                                   .grant(Jenkins.READ).everywhere().to(USER)
+
+                                                   // Read and Manage
+                                                   .grant(Jenkins.READ).everywhere().to(MANAGER)
+                                                   .grant(Jenkins.MANAGE).everywhere().to(MANAGER)
+        );
+
+        try (ACLContext c = ACL.as(User.getById(USER, true))) {
+            Collection<Descriptor> descriptors = Functions.getSortedDescriptorsForGlobalConfigUnclassified();
+            assertTrue("Global configuration should not be accessible to READ users", descriptors.size() == 0);
+        }
+        try (ACLContext c = ACL.as(User.getById(MANAGER, true))) {
+            Collection<Descriptor> descriptors = Functions.getSortedDescriptorsForGlobalConfigUnclassified();
+            Optional<Descriptor> found =
+                    descriptors.stream().filter(descriptor -> descriptor instanceof GitSCM.DescriptorImpl).findFirst();
+            assertTrue("Global configuration should be accessible to MANAGE users", found.isPresent());
+        }
+    }
+
     @Test
     public void trackCredentials() throws Exception {
         StandardCredentials credential = getInvalidCredential();