diff --git a/src/main/java/com/synopsys/arc/jenkinsci/plugins/jobrestrictions/restrictions/job/RegexNameRestriction.java b/src/main/java/com/synopsys/arc/jenkinsci/plugins/jobrestrictions/restrictions/job/RegexNameRestriction.java index 01deba2..33e8552 100644 --- a/src/main/java/com/synopsys/arc/jenkinsci/plugins/jobrestrictions/restrictions/job/RegexNameRestriction.java +++ b/src/main/java/com/synopsys/arc/jenkinsci/plugins/jobrestrictions/restrictions/job/RegexNameRestriction.java @@ -33,8 +33,10 @@ import hudson.util.FormValidation; import java.util.regex.Pattern; import java.util.regex.PatternSyntaxException; +import jenkins.model.Jenkins; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; +import org.kohsuke.stapler.interceptor.RequirePOST; /** * Restricts the jobs execution by applying regular expressions to their names. @@ -86,7 +88,9 @@ public String getDisplayName() { return Messages.restrictions_Job_RegexName(); } + @RequirePOST public FormValidation doCheckRegexExpression(@QueryParameter String regexExpression) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); try { Pattern.compile(regexExpression); } catch (PatternSyntaxException exception) { diff --git a/src/main/java/com/synopsys/arc/jenkinsci/plugins/jobrestrictions/util/GroupSelector.java b/src/main/java/com/synopsys/arc/jenkinsci/plugins/jobrestrictions/util/GroupSelector.java index a2feeee..66e8de8 100644 --- a/src/main/java/com/synopsys/arc/jenkinsci/plugins/jobrestrictions/util/GroupSelector.java +++ b/src/main/java/com/synopsys/arc/jenkinsci/plugins/jobrestrictions/util/GroupSelector.java @@ -41,6 +41,7 @@ import org.acegisecurity.userdetails.UsernameNotFoundException; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; +import org.kohsuke.stapler.interceptor.RequirePOST; import org.springframework.dao.DataAccessException; /** @@ -96,7 +97,9 @@ public String getDisplayName() { return "N/A"; } + @RequirePOST public FormValidation doCheckSelectedGroupId(@QueryParameter String selectedGroupId) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); selectedGroupId = Util.fixEmptyAndTrim(selectedGroupId); SecurityRealm sr = Jenkins.get().getSecurityRealm(); String eSelectedGroupId = Functions.escape(selectedGroupId); diff --git a/src/main/java/com/synopsys/arc/jenkinsci/plugins/jobrestrictions/util/UserSelector.java b/src/main/java/com/synopsys/arc/jenkinsci/plugins/jobrestrictions/util/UserSelector.java index 12d72a2..b55f2ad 100644 --- a/src/main/java/com/synopsys/arc/jenkinsci/plugins/jobrestrictions/util/UserSelector.java +++ b/src/main/java/com/synopsys/arc/jenkinsci/plugins/jobrestrictions/util/UserSelector.java @@ -32,10 +32,12 @@ import hudson.util.FormValidation; import java.io.Serializable; import java.util.Objects; +import jenkins.model.Jenkins; import org.kohsuke.accmod.Restricted; import org.kohsuke.accmod.restrictions.NoExternalUse; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; +import org.kohsuke.stapler.interceptor.RequirePOST; /** * Describable Item, which allows to configure a user. @@ -91,7 +93,9 @@ public String getDisplayName() { } @Restricted(NoExternalUse.class) // Stapler only + @RequirePOST public FormValidation doCheckSelectedUserId(@QueryParameter String selectedUserId) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); selectedUserId = Util.fixEmptyAndTrim(selectedUserId); if (selectedUserId == null) { return FormValidation.error("Field is empty"); diff --git a/src/main/java/io/jenkins/plugins/jobrestrictions/util/ClassSelector.java b/src/main/java/io/jenkins/plugins/jobrestrictions/util/ClassSelector.java index 5985d69..eb76d09 100644 --- a/src/main/java/io/jenkins/plugins/jobrestrictions/util/ClassSelector.java +++ b/src/main/java/io/jenkins/plugins/jobrestrictions/util/ClassSelector.java @@ -35,6 +35,7 @@ import jenkins.model.Jenkins; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; +import org.kohsuke.stapler.interceptor.RequirePOST; /** * Describable Item, which allows to select class. @@ -89,7 +90,9 @@ public String getDisplayName() { return "N/A"; } + @RequirePOST public FormValidation doCheckSelectedClass(final @QueryParameter String selectedClass) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); String _selectedClass = Util.fixEmptyAndTrim(selectedClass); if (_selectedClass == null) { return FormValidation.error("Field is empty");