Your browser was unable to load all of the resources. They may have been blocked by your firewall, proxy or browser configuration.
Press Ctrl+F5 or Ctrl+Shift+R to have your browser try again.

Rest API build trigger - Do not check enough permissions. #4230

thang.dv2 ·

Current QB only check RUN_BUILD permission between User and Configuration. But variables into this Configuration only check condition with user through website, do not check through REST API.
So, we must block when user call API include not able parameters.

  • replies 13
  • views 4134
  • stars 0
thang.dv2 ·

For example:
In the web, Variable A have choices:
1
2
3
4
But API include Variable A with value: 6
This should be block.

robinshen ADMIN ·

Currently variable value checking is not subject to permission check as otherwise the permission system can be very complicated (considering different configurations have different variable types/values). You may consider checking if variable value is expected at start of your build, and fail it upon an unexpected value.

thang.dv2 ·

I know but we have to do that, because we need to fragment user permission with each of choices variable values. Permissions system are not enough to use.

robinshen ADMIN ·

Do you mean different user is allowed to trigger build with different set of variable values? Making this part of general permission schema is somewhat difficult considering different configurations having different variables and values. So I'd suggest to do it in your build instead: you can even check in your build against triggering user name to determine if the variable values specified are permitted.

thang.dv2 ·

Yes, Thank you. I think that I'll check this permission in Re-queue Script.

thang.dv2 ·

When I return a through exception, API response prints whole pre-queue script in the master log, and in the user's return value.

If I return false, request was rejected. But status code is 200 ok. Because 200 should be build started okay. => We don't detect although this request was rejected.
Please help us.

robinshen ADMIN ·

You may check it in the pre-build script or add a groovy scripting step as the first step of the build.

thang.dv2 ·

Yes, I can check and block this problem but how can it return reject status code (403,....) not 200 OK in groovy script exclude error message? Have you any idea?

robinshen ADMIN ·
thang.dv2 ·

Thank you! I am updating the latest version to apply this change.

robinshen ADMIN ·

No problem. Just return an integer number to indicate http status code in pre-queue script, or return 200 to accept the request

thang.dv2 ·

@robinshen Excuse me, After integrate with https://track.pmease.com/browse/QB-3559 "Improve pre-queue script to return status code and status as necessary", It ran well with status code controler. But we are not able to control reject reason of requester.
This improvement only supporting control status response, not including flexible reason. Please help us improve both status code and reason of response under only a returning;

robinshen ADMIN ·