[JENKINS-73468] Fix mistaken doCheckServerUrl AccessDeniedException (#864)

[JENKINS-73468] View Configuration shows AccessDeniedException on BitbucketScmSource#doCheckServerUrl

Fix mistaken doCheckServerUrl AccessDeniedException

Author: Dohbedoh

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketSCMSource.java

@@ -1341,8 +1341,11 @@ public FormValidation doCheckCredentialsId(@CheckForNull @AncestorInPath SCMSour
 
         @SuppressWarnings("unused") // used By stapler
         public static FormValidation doCheckServerUrl(@AncestorInPath SCMSourceOwner context, @QueryParameter String value) {
-            AccessControlled contextToCheck = context == null ? Jenkins.get() : context;
-            contextToCheck.checkPermission(Item.CONFIGURE);
+            if (context == null && !Jenkins.get().hasPermission(Jenkins.MANAGE)
+                || context != null && !context.hasPermission(Item.EXTENDED_READ)) {
+                return FormValidation.error(
+                    "Unauthorized to validate Server URL"); // not supposed to be seeing this form
+            }
             if (BitbucketEndpointConfiguration.get().findEndpoint(value) == null) {
                 return FormValidation.error("Unregistered Server: " + value);
             }

src/test/java/com/cloudbees/jenkins/plugins/bitbucket/Security2033Test.java

@@ -9,6 +9,7 @@
 import hudson.model.User;
 import hudson.security.ACL;
 import hudson.security.ACLContext;
+import hudson.util.FormValidation;
 import hudson.util.ListBoxModel;
 import java.io.IOException;
 import java.net.HttpURLConnection;
@@ -35,6 +36,7 @@ public class Security2033Test {
 
     private static final String PROJECT_NAME = "p";
     private static final String NOT_AUTHORIZED_USER = "userNoPermission";
+    private static final String NO_ITEM_READ_USER = "userNoReadPermission";
     private static final String SERVER_URL = "server.url";
 
     @Rule
@@ -95,6 +97,17 @@ public void doCheckCredentialsIdSCMSourceWhenUserWithoutCredentialsViewPermissio
         }
     }
 
+    @Issue("SECURITY-2033")
+    @Test
+    public void doCheckServerUrlWhenUserWithoutPermissionThenReturnForbiddenMessage() {
+        ((MockAuthorizationStrategy) j.jenkins.getAuthorizationStrategy())
+            .grant(Jenkins.READ, Item.READ).everywhere().to(NOT_AUTHORIZED_USER);
+        try (ACLContext aclContext = ACL.as(User.getOrCreateByIdOrFullName(NO_ITEM_READ_USER))) {
+            FormValidation formValidation = BitbucketSCMSource.DescriptorImpl.doCheckServerUrl(pr, SERVER_URL);
+            assertThat(formValidation.getMessage(), is("Unauthorized to validate Server URL"));
+        }
+    }
+
     @Issue("SECURITY-2033")
     @Test
     public void doFillServerUrlItemsSCMNavigatorWhenUserWithoutPermissionThenReturnEmptyList() {
@@ -115,17 +128,6 @@ public void doFillServerUrlItemsSCMSourceWhenUserWithoutPermissionThenReturnEmpt
         }
     }
 
-    @Issue("SECURITY-2033")
-    @Test
-    public void doCheckServerUrlWhenUserWithoutPermissionThenReturnForbiddenStatus() {
-        try (ACLContext aclContext = ACL.as(User.getOrCreateByIdOrFullName(NOT_AUTHORIZED_USER))) {
-            BitbucketSCMSource.DescriptorImpl.doCheckServerUrl(pr, SERVER_URL);
-            fail("Should fail with AccessDeniedException2");
-        } catch (Exception accessDeniedException2) {
-            assertThat(accessDeniedException2.getMessage(), is(NOT_AUTHORIZED_USER + " is missing the Job/Configure permission"));
-        }
-    }
-
     @Issue("SECURITY-2033")
     @Test
     public void doShowStatsWhenUserWithoutAdminPermissionThenReturnForbiddenStatus() {