From bbf50ce3e019227ba1be599272a9f438a81d26e8 Mon Sep 17 00:00:00 2001
From: Javier Garcia <jgarcia@cloudbees.com>
Date: Thu, 31 Oct 2024 10:10:19 +0100
Subject: [PATCH 1/4] JENKINS-73941 - HideSandbox - Unify all the logic in
 Script-Security plugin

---
 plugin/pom.xml                                        |  2 +-
 .../plugins/workflow/cps/CpsFlowDefinition.java       | 11 ++---------
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/plugin/pom.xml b/plugin/pom.xml
index c5def3172..81711ca85 100644
--- a/plugin/pom.xml
+++ b/plugin/pom.xml
@@ -57,7 +57,7 @@
             <dependency>
                 <groupId>org.jenkins-ci.plugins</groupId>
                 <artifactId>script-security</artifactId>
-                <version>1367.vdf2fc45f229c</version>
+                <version>999999-SNAPSHOT</version>
             </dependency>
         </dependencies>
     </dependencyManagement>
diff --git a/plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java b/plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java
index d73cf4e5a..76d491017 100644
--- a/plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java
+++ b/plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java
@@ -88,11 +88,7 @@ public CpsFlowDefinition(String script) throws Descriptor.FormException {
 
     @DataBoundConstructor
     public CpsFlowDefinition(String script, boolean sandbox) throws Descriptor.FormException {
-        if (!sandbox && ScriptApproval.get().isForceSandboxForCurrentUser()) {
-            // this will end up in the /oops page until https://github.com/jenkinsci/jenkins/pull/9495 is picked up
-            throw new Descriptor.FormException("Sandbox cannot be disabled. This Jenkins instance has been configured to not " +
-                    "allow regular users to disable the sandbox in pipelines", "sandbox");
-        }
+        ScriptApproval.validateSandbox(sandbox);
         StaplerRequest req = Stapler.getCurrentRequest();
         this.script = sandbox ? script : ScriptApproval.get().configuring(script, GroovyLanguage.get(),
                 ApprovalContext.create().withCurrentUser().withItemAsKey(req != null ? req.findAncestorObject(Item.class) : null), req == null);
@@ -192,10 +188,7 @@ public JSON doCheckScriptCompile(@AncestorInPath Item job, @QueryParameter Strin
 
         @Restricted(NoExternalUse.class) // stapler
         public boolean shouldHideSandbox(@CheckForNull CpsFlowDefinition instance) {
-            // sandbox checkbox is shown to admins even if the global configuration says otherwise
-            // it's also shown when sandbox == false, so regular users can enable it
-            return ScriptApproval.get().isForceSandboxForCurrentUser()
-                    && (instance == null || instance.sandbox);
+            return ScriptApproval.shouldHideSandbox(instance, CpsFlowDefinition::isSandbox);
         }
 
     }

From 75b1e72601a7897d3b648ea17df1980c7118d768 Mon Sep 17 00:00:00 2001
From: Javier Garcia <jgarcia@cloudbees.com>
Date: Thu, 31 Oct 2024 11:14:47 +0100
Subject: [PATCH 2/4] JENKINS-73941 - HideSandbox - Unify all the logic in
 Script-Security plugin - Incremental Script-Security version

---
 plugin/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugin/pom.xml b/plugin/pom.xml
index 81711ca85..6701bdfe4 100644
--- a/plugin/pom.xml
+++ b/plugin/pom.xml
@@ -57,7 +57,7 @@
             <dependency>
                 <groupId>org.jenkins-ci.plugins</groupId>
                 <artifactId>script-security</artifactId>
-                <version>999999-SNAPSHOT</version>
+                <version>1371.vc2f1467cb_d7e</version>
             </dependency>
         </dependencies>
     </dependencyManagement>

From a5e0898e756f3211eb349636ca5c0d37b55670c7 Mon Sep 17 00:00:00 2001
From: Javier Garcia <jgarcia@cloudbees.com>
Date: Tue, 5 Nov 2024 11:04:14 +0100
Subject: [PATCH 3/4] JENKINS-73941 - HideSandbox - Unify all the logic in
 Script-Security plugin - Incremental Script-Security version

---
 plugin/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugin/pom.xml b/plugin/pom.xml
index 6701bdfe4..fc73b2c2f 100644
--- a/plugin/pom.xml
+++ b/plugin/pom.xml
@@ -57,7 +57,7 @@
             <dependency>
                 <groupId>org.jenkins-ci.plugins</groupId>
                 <artifactId>script-security</artifactId>
-                <version>1371.vc2f1467cb_d7e</version>
+                <version>1375.vd22f9ce290ef</version>
             </dependency>
         </dependencies>
     </dependencyManagement>

From cea198bd4d45e13d5169cdf42dfa039906d52312 Mon Sep 17 00:00:00 2001
From: Jesse Glick <jglick@cloudbees.com>
Date: Wed, 13 Nov 2024 16:02:38 -0500
Subject: [PATCH 4/4] Update to release

---
 plugin/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugin/pom.xml b/plugin/pom.xml
index fc73b2c2f..817df3ee9 100644
--- a/plugin/pom.xml
+++ b/plugin/pom.xml
@@ -57,7 +57,7 @@
             <dependency>
                 <groupId>org.jenkins-ci.plugins</groupId>
                 <artifactId>script-security</artifactId>
-                <version>1375.vd22f9ce290ef</version>
+                <version>1369.v9b_98a_4e95b_2d</version>
             </dependency>
         </dependencies>
     </dependencyManagement>