jenkinsci · timja · Feb 22, 2020 · Nov 20, 2019 · Nov 20, 2019 · Nov 20, 2019
diff --git a/core/src/main/java/hudson/PluginManager.java b/core/src/main/java/hudson/PluginManager.java
@@ -1397,7 +1397,7 @@ public HttpResponse doPlugins() {
 
     @RequirePOST
     public HttpResponse doUpdateSources(StaplerRequest req) throws IOException {
-        Jenkins.get().checkPermission(CONFIGURE_UPDATECENTER);
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
 
         if (req.hasParameter("remove")) {
             UpdateCenter uc = Jenkins.get().getUpdateCenter();
@@ -1603,7 +1603,7 @@ private UpdateSite.Plugin getPlugin(String pluginName, String siteName) {
     @RequirePOST
     public HttpResponse doSiteConfigure(@QueryParameter String site) throws IOException {
         Jenkins hudson = Jenkins.get();
-        hudson.checkPermission(CONFIGURE_UPDATECENTER);
+        hudson.checkPermission(Jenkins.ADMINISTER);
         UpdateCenter uc = hudson.getUpdateCenter();
         PersistedList<UpdateSite> sites = uc.getSites();
         for (UpdateSite s : sites) {
@@ -1618,7 +1618,7 @@ public HttpResponse doSiteConfigure(@QueryParameter String site) throws IOExcept
     @POST
     public HttpResponse doProxyConfigure(StaplerRequest req) throws IOException, ServletException {
         Jenkins jenkins = Jenkins.get();
-        jenkins.checkPermission(CONFIGURE_UPDATECENTER);
+        jenkins.checkPermission(Jenkins.ADMINISTER);
 
         ProxyConfiguration pc = req.bindJSON(ProxyConfiguration.class, req.getSubmittedForm());
         if (pc.name==null) {
@@ -1637,7 +1637,7 @@ public HttpResponse doProxyConfigure(StaplerRequest req) throws IOException, Ser
     @RequirePOST
     public HttpResponse doUploadPlugin(StaplerRequest req) throws IOException, ServletException {
         try {
-            Jenkins.get().checkPermission(UPLOAD_PLUGINS);
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
 
             ServletFileUpload upload = new ServletFileUpload(new DiskFileItemFactory());
 
@@ -2105,8 +2105,12 @@ public String toString() {
     }
     public static boolean FAST_LOOKUP = !SystemProperties.getBoolean(PluginManager.class.getName()+".noFastLookup");
 
-    public static final Permission UPLOAD_PLUGINS = new Permission(Jenkins.PERMISSIONS, "UploadPlugins", Messages._PluginManager_UploadPluginsPermission_Description(),Jenkins.ADMINISTER,PermissionScope.JENKINS);
-    public static final Permission CONFIGURE_UPDATECENTER = new Permission(Jenkins.PERMISSIONS, "ConfigureUpdateCenter", Messages._PluginManager_ConfigureUpdateCenterPermission_Description(),Jenkins.ADMINISTER,PermissionScope.JENKINS);
+    /** @deprecated use {@link Jenkins#ADMINISTER} instead */
+    @Deprecated
+    public static final Permission UPLOAD_PLUGINS = Jenkins.ADMINISTER;
+    /** @deprecated use {@link Jenkins#ADMINISTER} instead */
+    @Deprecated
+    public static final Permission CONFIGURE_UPDATECENTER = Jenkins.ADMINISTER;
 
     /**
      * Remembers why a plugin failed to deploy.

diff --git a/core/src/main/java/hudson/cli/GroovyCommand.java b/core/src/main/java/hudson/cli/GroovyCommand.java
@@ -59,7 +59,7 @@ public String getShortDescription() {
 
     protected int run() throws Exception {
         // this allows the caller to manipulate the JVM state, so require the execute script privilege.
-        Jenkins.getActiveInstance().checkPermission(Jenkins.RUN_SCRIPTS);
+        Jenkins.getActiveInstance().checkPermission(Jenkins.ADMINISTER);
 
         Binding binding = new Binding();
         binding.setProperty("out",new PrintWriter(stdout,true));

diff --git a/core/src/main/java/hudson/cli/GroovyshCommand.java b/core/src/main/java/hudson/cli/GroovyshCommand.java
@@ -60,7 +60,7 @@ public String getShortDescription() {
     @Override
     protected int run() {
         // this allows the caller to manipulate the JVM state, so require the admin privilege.
-        Jenkins.getActiveInstance().checkPermission(Jenkins.RUN_SCRIPTS);
+        Jenkins.getActiveInstance().checkPermission(Jenkins.ADMINISTER);
 
         // this being remote means no jline capability is available
         System.setProperty("jline.terminal", UnsupportedTerminal.class.getName());

diff --git a/core/src/main/java/hudson/cli/InstallPluginCommand.java b/core/src/main/java/hudson/cli/InstallPluginCommand.java
@@ -83,7 +83,7 @@ public String getShortDescription() {
     @Override
     protected int run() throws Exception {
         Jenkins h = Jenkins.get();
-        h.checkPermission(PluginManager.UPLOAD_PLUGINS);
+        h.checkPermission(Jenkins.ADMINISTER);
         PluginManager pm = h.getPluginManager();
 
         if (name != null) {

diff --git a/core/src/main/java/hudson/util/RemotingDiagnostics.java b/core/src/main/java/hudson/util/RemotingDiagnostics.java
@@ -196,7 +196,7 @@ public void doIndex(StaplerResponse rsp) throws IOException {
 
         @WebMethod(name="heapdump.hprof")
         public void doHeapDump(StaplerRequest req, StaplerResponse rsp) throws IOException, InterruptedException {
-            owner.checkPermission(Jenkins.RUN_SCRIPTS);
+            owner.checkPermission(Jenkins.ADMINISTER);
             rsp.setContentType("application/octet-stream");
 
             FilePath dump = obtain();

diff --git a/core/src/main/java/jenkins/management/ConsoleLink.java b/core/src/main/java/jenkins/management/ConsoleLink.java
@@ -57,6 +57,6 @@ public String getUrlName() {
 
     @Override
     public Permission getRequiredPermission() {
-        return Jenkins.RUN_SCRIPTS;
+        return Jenkins.ADMINISTER;
     }
 }
diff --git a/core/src/main/java/jenkins/model/Jenkins.java b/core/src/main/java/jenkins/model/Jenkins.java
@@ -4494,7 +4494,7 @@ public void doScriptText(StaplerRequest req, StaplerResponse rsp) throws IOExcep
      */
     public static void _doScript(StaplerRequest req, StaplerResponse rsp, RequestDispatcher view, VirtualChannel channel, ACL acl) throws IOException, ServletException {
         // ability to run arbitrary script is dangerous
-        acl.checkPermission(RUN_SCRIPTS);
+        acl.checkPermission(ADMINISTER);
 
         String text = req.getParameter("script");
         if (text != null) {
@@ -4524,7 +4524,7 @@ public static void _doScript(StaplerRequest req, StaplerResponse rsp, RequestDis
      */
     @RequirePOST
     public void doEval(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
-        checkPermission(RUN_SCRIPTS);
+        checkPermission(ADMINISTER);
         req.getWebApp().getDispatchValidator().allowDispatch(req, rsp);
         try {
             MetaClass mc = req.getWebApp().getMetaClass(getClass());
@@ -5269,7 +5269,9 @@ private static void computeVersion(ServletContext context) {
     public static final PermissionGroup PERMISSIONS = Permission.HUDSON_PERMISSIONS;
     public static final Permission ADMINISTER = Permission.HUDSON_ADMINISTER;
     public static final Permission READ = new Permission(PERMISSIONS,"Read",Messages._Hudson_ReadPermission_Description(),Permission.READ,PermissionScope.JENKINS);
-    public static final Permission RUN_SCRIPTS = new Permission(PERMISSIONS, "RunScripts", Messages._Hudson_RunScriptsPermission_Description(),ADMINISTER,PermissionScope.JENKINS);
+    /** @deprecated use {@link #ADMINISTER} instead */
+    @Deprecated
+    public static final Permission RUN_SCRIPTS = ADMINISTER;
 
     /**
      * Urls that are always visible without READ permission.

diff --git a/core/src/main/java/jenkins/security/s2m/AdminWhitelistRule.java b/core/src/main/java/jenkins/security/s2m/AdminWhitelistRule.java
@@ -212,7 +212,7 @@ public boolean getMasterKillSwitch() {
     public void setMasterKillSwitch(boolean state) {
         final Jenkins jenkins = Jenkins.get();
         try {
-            jenkins.checkPermission(Jenkins.RUN_SCRIPTS);
+            jenkins.checkPermission(Jenkins.ADMINISTER);
             File f = getMasterKillSwitchFile(jenkins);
             FileUtils.writeStringToFile(f, Boolean.toString(state), Charset.defaultCharset());
             // treat the file as the canonical source of information in case write fails
@@ -227,7 +227,7 @@ public void setMasterKillSwitch(boolean state) {
      */
     @Override
     public Object getTarget() {
-        Jenkins.get().checkPermission(Jenkins.RUN_SCRIPTS);
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
         return this;
     }
 

diff --git a/core/src/main/java/jenkins/security/s2m/MasterKillSwitchConfiguration.java b/core/src/main/java/jenkins/security/s2m/MasterKillSwitchConfiguration.java
@@ -48,7 +48,7 @@ public boolean configure(StaplerRequest req, JSONObject json) throws FormExcepti
      * Unless this option is relevant, we don't let users choose this.
      */
     public boolean isRelevant() {
-        return jenkins.hasPermission(Jenkins.RUN_SCRIPTS) && jenkins.isUseSecurity();
+        return jenkins.hasPermission(Jenkins.ADMINISTER) && jenkins.isUseSecurity();
     }
 }
 
diff --git a/core/src/main/resources/hudson/PluginManager/advanced.jelly b/core/src/main/resources/hudson/PluginManager/advanced.jelly
@@ -35,7 +35,7 @@ THE SOFTWARE.
       <table id="pluginsAdv" class="pane" style="margin-top:0; border-top:none">
         <tr style="border-top:none; white-space: normal">
           <td>
-            <l:hasPermission permission="${app.pluginManager.CONFIGURE_UPDATECENTER}">
+            <l:hasPermission permission="${app.ADMINISTER}">
               <h1>${%HTTP Proxy Configuration}</h1>
               <f:form method="post" action="proxyConfigure" name="proxyConfigure">
                 <j:scope>
@@ -49,7 +49,7 @@ THE SOFTWARE.
               </f:form>
             </l:hasPermission>
 
-            <l:hasPermission permission="${app.pluginManager.UPLOAD_PLUGINS}">
+            <l:hasPermission permission="${app.ADMINISTER}">
               <h1>${%Upload Plugin}</h1>
               <f:form method="post" action="uploadPlugin" name="uploadPlugin" enctype="multipart/form-data">
                 <f:block>
@@ -66,7 +66,7 @@ THE SOFTWARE.
                 </f:block>
               </f:form>
             </l:hasPermission>
-            <l:hasPermission permission="${app.pluginManager.CONFIGURE_UPDATECENTER}">
+            <l:hasPermission permission="${app.ADMINISTER}">
               <h1>${%Update Site}</h1>
               <f:form method="post" action="siteConfigure" name="siteConfigure">
                 <f:entry title="${%URL}" >

diff --git a/core/src/main/resources/hudson/PluginManager/tabBar.jelly b/core/src/main/resources/hudson/PluginManager/tabBar.jelly
@@ -31,7 +31,7 @@ THE SOFTWARE.
     <l:tab name="${%Updates}" active="${page=='updates'}" href="." />
     <l:tab name="${%Available}" active="${page=='available'}" href="./available" />
     <l:tab name="${%Installed}" active="${page=='installed'}" href="./installed" />
-  <j:if test="${h.hasPermission(app.pluginManager.UPLOAD_PLUGINS) || h.hasPermission(app.pluginManager.CONFIGURE_UPDATECENTER)}">
+  <j:if test="${h.hasPermission(app.ADMINISTER) }">
     <l:tab name="${%Advanced}" active="${page=='advanced'}" href="./advanced" />
   </j:if>
   </l:tabBar>

diff --git a/core/src/main/resources/hudson/model/Computer/sidepanel.jelly b/core/src/main/resources/hudson/model/Computer/sidepanel.jelly
@@ -37,7 +37,7 @@ THE SOFTWARE.
       <l:task href="${rootURL}/${it.url}builds" icon="icon-notepad icon-md" title="${%Build History}"/>
       <l:task href="${rootURL}/${it.url}load-statistics" icon="icon-monitor icon-md" title="${%Load Statistics}"/>
       <j:if test="${it.channel!=null}">
-        <l:task href="${rootURL}/${it.url}script" icon="icon-terminal icon-md" permission="${app.RUN_SCRIPTS}" title="${%Script Console}"/>
+        <l:task href="${rootURL}/${it.url}script" icon="icon-terminal icon-md" permission="${app.ADMINISTER}" title="${%Script Console}"/>
       </j:if>
       <st:include page="sidepanel2.jelly" optional="true" /><!-- hook for derived class to add more items -->
       <t:actions />

diff --git a/core/src/main/resources/jenkins/security/s2m/AdminWhitelistRule/index.jelly b/core/src/main/resources/jenkins/security/s2m/AdminWhitelistRule/index.jelly
@@ -23,7 +23,7 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-<l:layout title="${%Whitelist}" permission="${app.RUN_SCRIPTS}">
+<l:layout title="${%Whitelist}" permission="${app.ADMINISTER}">
   <st:include page="sidepanel.jelly" it="${app}"/>
   <l:main-panel>
     <h1>${%Agent &#8594; Master Access Control}</h1>

diff --git a/core/src/main/resources/lib/hudson/scriptConsole.jelly b/core/src/main/resources/lib/hudson/scriptConsole.jelly
@@ -27,7 +27,7 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:f="/lib/form">
-  <l:layout norefresh="true" permission="${h.RUN_SCRIPTS}">
+  <l:layout norefresh="true" permission="${h.ADMINISTER}">
     <st:include page="sidepanel.jelly" />
 
     <l:main-panel>

diff --git a/test/src/test/java/hudson/cli/GroovyshCommandTest.java b/test/src/test/java/hudson/cli/GroovyshCommandTest.java
@@ -41,7 +41,7 @@ public class GroovyshCommandTest {
     @Issue("JENKINS-17929")
     @Test public void authentication() throws Exception {
         CLICommandInvoker.Result result = new CLICommandInvoker(r, new GroovyshCommand())
-            .authorizedTo(Jenkins.READ, Jenkins.RUN_SCRIPTS)
+            .authorizedTo(Jenkins.READ, Jenkins.ADMINISTER)
             .withStdin(new StringInputStream("println(jenkins.model.Jenkins.instance.getClass().name)\n:quit\n"))
             .invoke();
         assertThat(result, succeeded());

diff --git a/test/src/test/java/jenkins/model/JenkinsTest.java b/test/src/test/java/jenkins/model/JenkinsTest.java
@@ -355,8 +355,8 @@ public void testDoEval() throws Exception {
 
         wc.withBasicApiToken(User.getById("charlie", true));
         page = eval(wc);
-        assertEquals("charlie has ADMINISTER but not RUN_SCRIPTS", 
-                HttpURLConnection.HTTP_FORBIDDEN,
+        assertEquals("charlie has ADMINISTER and READ",
+                HttpURLConnection.HTTP_OK,
                 page.getWebResponse().getStatusCode());
     }
     private Page eval(WebClient wc) throws Exception {