[SECURITY-2201]

jenkinsci · May 6, 2021 · 2e85e45 · 2e85e45
1 parent a146c28
commit 2e85e45
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/src/main/java/hudson/plugins/s3/S3BucketPublisher.java b/src/main/java/hudson/plugins/s3/S3BucketPublisher.java
@@ -15,6 +15,7 @@
 import hudson.model.AbstractProject;
 import hudson.model.Action;
 import hudson.model.Fingerprint;
+import hudson.model.Item;
 import hudson.model.Result;
 import hudson.model.Run;
 import hudson.model.TaskListener;
@@ -34,10 +35,10 @@
 import net.sf.json.JSONObject;
 import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.Symbol;
+import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
-import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import javax.annotation.Nonnull;
@@ -466,8 +467,16 @@ public boolean configure(StaplerRequest req, JSONObject json) {
         }
 
         @SuppressWarnings("unused")
-        public ListBoxModel doFillProfileNameItems() {
+        public ListBoxModel doFillProfileNameItems(@AncestorInPath Item item) {
             final ListBoxModel model = new ListBoxModel();
+            if (item != null && !item.hasPermission(Item.CONFIGURE)) {
+                return model;
+            }
+            if (item == null && !Jenkins.get().hasPermission(Item.CREATE)) {
+                // accessing from $JENKINS_URL/pipeline-syntax
+                return model;
+            }
+
             for (S3Profile profile : profiles) {
                 model.add(profile.getName(), profile.getName());
             }