Bug 458276 - [Security] a deleted user who is authenticated in a browser can still build jobs etc..
Summary: [Security] a deleted user who is authenticated in a browser can still build j...
Status: RESOLVED WONTFIX
Alias: None
Product: Hudson
Classification: Technology
Component: Core (show other bugs)
Version: 3.2.1   Edit
Hardware: PC Windows 7
: P3 blocker (vote)
Target Milestone: ---   Edit
Assignee: Winston Prakash CLA
QA Contact: Geoff Waymark CLA
URL:
Whiteboard: candidate-3.4.0
Keywords: security
Depends on:
Blocks:
 
Reported: 2015-01-23 11:01 EST by Geoff Waymark CLA
Modified: 2019-05-14 14:06 EDT (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Geoff Waymark CLA 2015-01-23 11:01:16 EST 
For Hudson own user database at least if a user is logged in a web browser they can still run commands against the server even though their account has been deleted. I assume the same would be true for LDAP etc..

Steps to reproduce:
1. Create a two user and a few jobs with security provided by matrixed hudson own user database.
2. Login as the second user in a web browser
3. As the first user delete the second
4. User 2 can still build a job from the web ui if they remain on that page.

A user should be rechecked before being allowed to rn an action
Comment 1 Geoff Waymark CLA 2015-01-23 11:08:56 EST 
You are not even logged out on page change and can by visiting the people page and changing your password re-add yourself as a user to the security realm!

Increasing the severity accordingly
Comment 2 Wayne Beaton CLA 2019-05-14 14:06:10 EDT 
The Eclipse Hudson project has been terminated and archived.