[JIRA] (JENKINS-14546) Regular users (others than admin) can't see any nested-views (other than the default one) with role-based authorization strategy activated

Users have "Read" rights on "View" item but don't have "Configure" rights on "View" item. When "Configure" rights on "View" item is checked, regular users can see any nested-views but this configuration is unsafe.

I think upgrade Jenkins to version 1.467 or greater, will resolve this problem (like it will be mentionned into JENKINS-13429, can you confirm this ?

I have the same problen on my own Jenkins server (v1.480).
I'm admin and I see all nested views. But my regular users can't see it.

I have the same problen on my own Jenkins server (Jenkins v1.480, nested View Plugin v1.9).
I'm admin and I see all nested views. But my regular users can't see it.

Problem still remains with Jenkins-1.483.

Without View.READ permissions, nested views are not shown as tabs, but can be accessed if the URL's guessed correctly.

Problem still remains with Jenkins-1.483, Nested View Plugin 1.8, role-strategy 1.1.2.

Without View.READ permissions, nested views are not shown as tabs, but can be accessed if the URL's guessed correctly.

Problem still remains with Jenkins-1.483, Nested View Plugin 1.8, and 1.9, role-strategy 1.1.2.

Without View.READ permissions, nested views are not shown as tabs, but can be accessed if the URL's guessed correctly.

I think this is due to how Jenkins handles read permissions in Views.

In hudson.security.AuthorizationStrategy#getACL, there's the following code:
{{{
if (!hasPermission && permission == View.READ) { return base.hasPermission(a,View.CONFIGURE) || !item.getItems().isEmpty(); }
}}}

The problem here is that for a nested view containing views (and no Jobs), item.getItems().isEmpty() is always true (getItems() only returns TopLevelElements - which nested views are not).

One way to fix this could be to introduce a isEmpty() method in hudson.model.Views - which would return this.getItems.isEmpty(). Subclasses like NestedView from the Nested Views Plugin could override this method, and return true if any of the contained views is not empty.

I think this is due to how Jenkins handles read permissions in Views.

In hudson.security.AuthorizationStrategy#getACL, there's the following code:

if (!hasPermission && permission == View.READ)

Unknown macro: { return base.hasPermission(a,View.CONFIGURE) || !item.getItems().isEmpty(); }

The problem here is that for a nested view containing views (and no Jobs), item.getItems().isEmpty() is always true (getItems() only returns TopLevelElements - which [nested] views are not).

One way to fix this could be to introduce a isEmpty() method in hudson.model.Views - which would return this.getItems.isEmpty(). Subclasses like NestedView from the Nested Views Plugin could override this method, and return true if any of the contained views is not empty.

I think this is due to how Jenkins handles read permissions in Views.

In hudson.security.AuthorizationStrategy#getACL, there's the following code:

if (!hasPermission && permission == View.READ) {
    return base.hasPermission(a,View.CONFIGURE) || !item.getItems().isEmpty();
}

The problem here is that for a nested view containing views (and no Jobs), item.getItems().isEmpty() is always true (getItems() only returns TopLevelElements - which [nested] views are not).

One way to fix this could be to introduce a isEmpty() method in hudson.model.Views - which would return this.getItems.isEmpty(). Subclasses like NestedView from the Nested Views Plugin could override this method, and return true if any of the contained views is not empty.

We are facing the same problem (Jenkins LTS 1.466.2 & Nested View 1.9)
Even if View.READ permission is granted, nested views are not visible to regular (non-admin) users;
As a workaround, we have emailed the affected users the URL to the view (eg: http://jenkins_server/view/VIEWNAME)

We are facing the same problem (Jenkins LTS 1.466.2 & Nested View 1.9) [using Project-based Matrix Authorization Strategy]
Even if View.READ permission is granted, nested views are not visible to regular (non-admin) users;
As a workaround, we have emailed the affected users the URL to the view (eg: http://jenkins_server/view/VIEWNAME)

We are facing the same problem (Jenkins LTS 1.466.2 & Nested View 1.9) [using Project-based Matrix Authorization Strategy]
Even if View.READ permission is granted, nested views are not visible to regular (non-admin) users;
As a workaround, we have emailed the affected users the URL to the view (eg: http://jenkins_server/view/VIEWNAME)
[Note: This issue was not visible when we were running Jenkins 1.450 / Nested view plugin 1.9]

We are facing the same problem (Jenkins LTS 1.466.2 & Nested View 1.9) [using Project-based Matrix Authorization Strategy]
Even if View.READ permission is granted, nested views are not visible to regular (non-admin) users;
As a workaround, we have emailed the affected users the URL to the view (eg: http://jenkins_server/view/VIEWNAME)
[Note: This issue was not visible when we were running Jenkins 1.450 / Nested view plugin 1.8]

JENKINS-13429 was fixed in 1.467. @martinkutter your comment about getACL is missing the point, which is that you need to grant View.READ for people to see the views. The block you quote is only for backward compatibility with old versions of Jenkins that did not define View.READ at all.

The issue is not fixed in Jenkins 1.467.

I'm on 1.480.3-LTS with Role Strategy plugin 1.1.2 and Nested View Plugin 1.8.

We have several top-level-views, which are only shown, when a user has the (global) View.READ permission. They are not shown as tabs in the UI, but can be accesed by directly invoking the view's URL. These views are of the type "Nested View" and do not contain other jobs.

This means that the "backward compatibility" trick in JENKINS-3681 does not work, when a view contains only other views (and no jobs).

A user can either see all views (by means of the View.READ) permission, or only views containing Jobs.

I'm on 1.480.3-LTS with Role Strategy plugin 1.1.2 and Nested View Plugin 1.9.

Martin Kutter: "These views are of the type "Nested View" and do not contain other jobs"
=> I created a dummy job on my nested view as a direct child but still the nested view is not visible for users who have the rights.

But yes, knowing the Links (of the Job, the Nested View or a Subview) works

I'm on 1.480.3-LTS with Role Strategy plugin 1.1.2 and Nested View Plugin 1.9.

Martin Kutter: "These views are of the type "Nested View" and do not contain other jobs"
=> I created a dummy job on my nested view as a direct child but still the nested view is not visible for users who have the rights.

But yes, if you know the Links (of the Job, the Nested View or a Subview) you have access to them.