From 3f74022c7a937d054a27c9fecf6a7196fbaeed60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antonio=20Mu=C3=B1iz?= <amunizmartin@gmail.com>
Date: Mon, 13 May 2024 13:15:09 +0200
Subject: [PATCH] [JENKINS-73163] Allow users with Overall/Manage permission to
 configure GitHub Servers

See [JENKINS-73163](https://issues.jenkins.io/browse/JENKINS-73163) for
more information.

Some features have been intentionally left out and they will keep
requiring `Jenkins.ADMINISTER`. They are administrative monitors and
webhook auto-registering.
---
 pom.xml                                                     | 1 +
 .../jenkinsci/plugins/github/config/GitHubServerConfig.java | 4 ++--
 .../jenkinsci/plugins/github/config/HookSecretConfig.java   | 2 +-
 .../github/config/GitHubServerConfigIntegrationTest.java    | 6 ++++--
 4 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/pom.xml b/pom.xml
index 4ce742847..db65968f2 100755
--- a/pom.xml
+++ b/pom.xml
@@ -53,6 +53,7 @@
         <jenkins.version>2.414.3</jenkins.version>
         <release.skipTests>false</release.skipTests>
         <tagNameFormat>v@{project.version}</tagNameFormat>
+        <useBeta>true</useBeta> <!-- For Jenkins.MANAGE permission -->
     </properties>
 
     <repositories>
diff --git a/src/main/java/org/jenkinsci/plugins/github/config/GitHubServerConfig.java b/src/main/java/org/jenkinsci/plugins/github/config/GitHubServerConfig.java
index 4d6b29b75..c0ed535cf 100644
--- a/src/main/java/org/jenkinsci/plugins/github/config/GitHubServerConfig.java
+++ b/src/main/java/org/jenkinsci/plugins/github/config/GitHubServerConfig.java
@@ -348,7 +348,7 @@ public String getDisplayName() {
         @SuppressWarnings("unused")
         public ListBoxModel doFillCredentialsIdItems(@QueryParameter String apiUrl,
                                                      @QueryParameter String credentialsId) {
-            if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) {
+            if (!Jenkins.getInstance().hasPermission(Jenkins.MANAGE)) {
                 return new StandardListBoxModel().includeCurrentValue(credentialsId);
             }
             return new StandardListBoxModel()
@@ -367,7 +367,7 @@ public ListBoxModel doFillCredentialsIdItems(@QueryParameter String apiUrl,
         public FormValidation doVerifyCredentials(
                 @QueryParameter String apiUrl,
                 @QueryParameter String credentialsId) throws IOException {
-            Jenkins.getActiveInstance().checkPermission(Jenkins.ADMINISTER);
+            Jenkins.getActiveInstance().checkPermission(Jenkins.MANAGE);
 
             GitHubServerConfig config = new GitHubServerConfig(credentialsId);
             config.setApiUrl(apiUrl);
diff --git a/src/main/java/org/jenkinsci/plugins/github/config/HookSecretConfig.java b/src/main/java/org/jenkinsci/plugins/github/config/HookSecretConfig.java
index 8eb8dc5f2..6c45e5d00 100644
--- a/src/main/java/org/jenkinsci/plugins/github/config/HookSecretConfig.java
+++ b/src/main/java/org/jenkinsci/plugins/github/config/HookSecretConfig.java
@@ -62,7 +62,7 @@ public String getDisplayName() {
 
         @SuppressWarnings("unused")
         public ListBoxModel doFillCredentialsIdItems(@QueryParameter String credentialsId) {
-            if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) {
+            if (!Jenkins.getInstance().hasPermission(Jenkins.MANAGE)) {
                 return new StandardListBoxModel().includeCurrentValue(credentialsId);
             }
 
diff --git a/src/test/java/org/jenkinsci/plugins/github/config/GitHubServerConfigIntegrationTest.java b/src/test/java/org/jenkinsci/plugins/github/config/GitHubServerConfigIntegrationTest.java
index d019c9d4d..7415352fe 100644
--- a/src/test/java/org/jenkinsci/plugins/github/config/GitHubServerConfigIntegrationTest.java
+++ b/src/test/java/org/jenkinsci/plugins/github/config/GitHubServerConfigIntegrationTest.java
@@ -107,7 +107,9 @@ public void shouldNotAllow_CredentialsLeakage_usingVerifyCredentials() throws Ex
         j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
 
         GlobalMatrixAuthorizationStrategy strategy = new GlobalMatrixAuthorizationStrategy();
-        strategy.add(Jenkins.ADMINISTER, "admin");
+        Jenkins.MANAGE.setEnabled(true);
+        strategy.add(Jenkins.MANAGE, "admin");
+        strategy.add(Jenkins.READ, "admin");
         strategy.add(Jenkins.READ, "user");
         j.jenkins.setAuthorizationStrategy(strategy);
         
@@ -121,7 +123,7 @@ public void shouldNotAllow_CredentialsLeakage_usingVerifyCredentials() throws Ex
             
             assertThat(attackerServlet.secretCreds, isEmptyOrNullString());
         }
-        { // only admin can verify the credentials
+        { // only admin (with Manage permission) can verify the credentials
             JenkinsRule.WebClient wc = j.createWebClient();
             wc.getOptions().setThrowExceptionOnFailingStatusCode(false);
             wc.login("admin");