[JENKINS-73038] Adapt plugin to allow user with Overall/Manage to configure global settings (#846)

Author: mikecirioli

pom.xml

@@ -5,7 +5,7 @@
   <parent>
     <groupId>org.jenkins-ci.plugins</groupId>
     <artifactId>plugin</artifactId>
-    <version>4.80</version>
+    <version>4.81</version>
     <relativePath />
   </parent>
 
@@ -30,6 +30,7 @@
     <gitHubRepo>jenkinsci/bitbucket-branch-source-plugin</gitHubRepo>
     <jenkins.version>2.401.3</jenkins.version>
     <hpi.compatibleSinceVersion>2.0</hpi.compatibleSinceVersion>
+    <useBeta>true</useBeta> <!-- Jenkins.MANAGE -->
   </properties>
 
   <developers>

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketApiUtils.java

@@ -35,7 +35,7 @@ public static ListBoxModel getFromBitbucket(SCMSourceOwner context,
         if (repoOwner == null) {
             return new ListBoxModel();
         }
-        if (context == null && !Jenkins.get().hasPermission(Jenkins.ADMINISTER) ||
+        if (context == null && !Jenkins.get().hasPermission(Jenkins.MANAGE) ||
             context != null && !context.hasPermission(Item.EXTENDED_READ)) {
             return new ListBoxModel(); // not supposed to be seeing this form
         }

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/SSHCheckoutTrait.java

@@ -171,7 +171,7 @@ public ListBoxModel doFillCredentialsIdItems(@CheckForNull @AncestorInPath Item
                                                      @QueryParameter String serverUrl,
                                                      @QueryParameter String credentialsId) {
             if (context == null
-                    ? !Jenkins.get().hasPermission(Jenkins.ADMINISTER)
+                    ? !Jenkins.get().hasPermission(Jenkins.MANAGE)
                     : !context.hasPermission(Item.EXTENDED_READ)) {
                 return new StandardListBoxModel().includeCurrentValue(credentialsId);
             }
@@ -202,7 +202,7 @@ public FormValidation doCheckCredentialsId(@CheckForNull @AncestorInPath Item co
                                                    @QueryParameter String serverUrl,
                                                    @QueryParameter String value) {
             if (context == null
-                    ? !Jenkins.get().hasPermission(Jenkins.ADMINISTER)
+                    ? !Jenkins.get().hasPermission(Jenkins.MANAGE)
                     : !context.hasPermission(Item.EXTENDED_READ)) {
                 return FormValidation.ok();
             }

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/endpoints/AbstractBitbucketEndpointDescriptor.java

@@ -56,7 +56,7 @@ public abstract class AbstractBitbucketEndpointDescriptor extends Descriptor<Abs
     @SuppressWarnings("unused")
     public ListBoxModel doFillCredentialsIdItems(@QueryParameter String serverUrl) {
         Jenkins jenkins = Jenkins.get();
-        jenkins.checkPermission(Jenkins.ADMINISTER);
+        jenkins.checkPermission(Jenkins.MANAGE);
         StandardListBoxModel result = new StandardListBoxModel();
         result.includeMatchingAs(
                 ACL.SYSTEM,

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/endpoints/BitbucketEndpointConfiguration.java

@@ -29,6 +29,7 @@
 import hudson.ExtensionList;
 import hudson.Util;
 import hudson.security.ACL;
+import hudson.security.Permission;
 import hudson.util.ListBoxModel;
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -79,6 +80,11 @@ public static BitbucketEndpointConfiguration get() {
         return ExtensionList.lookup(GlobalConfiguration.class).get(BitbucketEndpointConfiguration.class);
     }
 
+    @NonNull
+    @Override
+    public Permission getRequiredGlobalConfigPagePermission() {
+        return Jenkins.MANAGE;
+    }
     /**
      * Called from a {@code readResolve()} method only to convert the old {@code bitbucketServerUrl} field into the new
      * {@code serverUrl} field. When called from {@link ACL#SYSTEM} this will update the configuration with the
@@ -155,7 +161,7 @@ public synchronized List<AbstractBitbucketEndpoint> getEndpoints() {
      * @param endpoints the list of endpoints.
      */
     public synchronized void setEndpoints(@CheckForNull List<? extends AbstractBitbucketEndpoint> endpoints) {
-        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+        Jenkins.get().checkPermission(Jenkins.MANAGE);
         List<AbstractBitbucketEndpoint> eps = new ArrayList<>(Util.fixNull(endpoints));
         // remove duplicates and empty urls
         Set<String> serverUrls = new HashSet<>();

src/test/java/com/cloudbees/jenkins/plugins/bitbucket/endpoints/BitbucketEndpointConfigurationTest.java

@@ -32,6 +32,7 @@
 import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl;
 import com.google.common.io.Resources;
 import hudson.XmlFile;
+import hudson.model.User;
 import hudson.security.ACL;
 import hudson.security.ACLContext;
 import hudson.security.AuthorizationStrategy;
@@ -49,7 +50,9 @@
 import org.junit.Before;
 import org.junit.ClassRule;
 import org.junit.Test;
+import org.junit.jupiter.api.Assertions;
 import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.MockAuthorizationStrategy;
 
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.hasSize;
@@ -129,6 +132,29 @@ public void given__newInstance__when__configuredAsAnon__then__permissionError()
     }
 
     @Test
+    public void given__newInstance__when__configuredAsManage__then__OK() {
+        BitbucketEndpointConfiguration instance = new BitbucketEndpointConfiguration();
+        try {
+            j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+            MockAuthorizationStrategy mockStrategy = new MockAuthorizationStrategy();
+            mockStrategy.grant(Jenkins.MANAGE).onRoot().to("admin");
+            j.jenkins.setAuthorizationStrategy(mockStrategy);
+            try (ACLContext context = ACL.as(User.get("admin"))) {
+                instance.setEndpoints(Arrays.<AbstractBitbucketEndpoint>asList(
+                    new BitbucketCloudEndpoint(true, "first"),
+                    new BitbucketCloudEndpoint(true, "second"),
+                    new BitbucketCloudEndpoint(true, "third")));
+                assertThat(instance.getEndpoints(), contains(instanceOf(BitbucketCloudEndpoint.class)));
+                assertThat(instance.getEndpoints().get(0).getCredentialsId(), is("first"));
+            } catch (RuntimeException x) {
+                Assertions.fail("No exception should be thrown");
+            }
+        } finally {
+            j.jenkins.setAuthorizationStrategy(AuthorizationStrategy.UNSECURED);
+        }
+    }
+
+        @Test
     public void given__newInstance__when__configuredWithServerUsingCloudUrl__then__convertedToCloud() {
         BitbucketEndpointConfiguration instance = new BitbucketEndpointConfiguration();
         assumeThat(instance.getEndpoints().get(0).getCredentialsId(), not(is("dummy")));