JENKINS-73941 - ForceSandbox - Unify logic in Script-Security for red…

…ucing techDeb (#952) * JENKINS-73941 - HideSandbox - Unify all the logic in Script-Security plugin * JENKINS-73941 - HideSandbox - Unify all the logic in Script-Security plugin - Incremental Script-Security version * JENKINS-73941 - HideSandbox - Unify all the logic in Script-Security plugin - Incremental Script-Security version * Update to release --------- Co-authored-by: Jesse Glick <[email protected]>
jenkinsci · Nov 13, 2024 · 5eebd32 · 5eebd32
1 parent 3e20a37
commit 5eebd32
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 10 deletions.
diff --git a/plugin/pom.xml b/plugin/pom.xml
@@ -57,7 +57,7 @@
             <dependency>
                 <groupId>org.jenkins-ci.plugins</groupId>
                 <artifactId>script-security</artifactId>
-                <version>1367.vdf2fc45f229c</version>
+                <version>1369.v9b_98a_4e95b_2d</version>
             </dependency>
         </dependencies>
     </dependencyManagement>

diff --git a/plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java b/plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java
@@ -88,11 +88,7 @@ public CpsFlowDefinition(String script) throws Descriptor.FormException {
 
     @DataBoundConstructor
     public CpsFlowDefinition(String script, boolean sandbox) throws Descriptor.FormException {
-        if (!sandbox && ScriptApproval.get().isForceSandboxForCurrentUser()) {
-            // this will end up in the /oops page until https://github.com/jenkinsci/jenkins/pull/9495 is picked up
-            throw new Descriptor.FormException("Sandbox cannot be disabled. This Jenkins instance has been configured to not " +
-                    "allow regular users to disable the sandbox in pipelines", "sandbox");
-        }
+        ScriptApproval.validateSandbox(sandbox);
         StaplerRequest req = Stapler.getCurrentRequest();
         this.script = sandbox ? script : ScriptApproval.get().configuring(script, GroovyLanguage.get(),
                 ApprovalContext.create().withCurrentUser().withItemAsKey(req != null ? req.findAncestorObject(Item.class) : null), req == null);
@@ -192,10 +188,7 @@ public JSON doCheckScriptCompile(@AncestorInPath Item job, @QueryParameter Strin
 
         @Restricted(NoExternalUse.class) // stapler
         public boolean shouldHideSandbox(@CheckForNull CpsFlowDefinition instance) {
-            // sandbox checkbox is shown to admins even if the global configuration says otherwise
-            // it's also shown when sandbox == false, so regular users can enable it
-            return ScriptApproval.get().isForceSandboxForCurrentUser()
-                    && (instance == null || instance.sandbox);
+            return ScriptApproval.shouldHideSandbox(instance, CpsFlowDefinition::isSandbox);
         }
 
     }