Folder credentials are erased by user lacking Item/Configure permission #727
Description
Jenkins and plugins versions report
Jenkins core masks password fields (i.e. replaces with ********) when you're lacking Item/Configure permission.
Folders credentials can be updated with Credentials/View and Credentials/Update permissions.
Meaning that someone with these permissions but lacking Item/Configure permission can edit a credentials, however the value of the password fields will be replaced by ********.
So even without changing anyfield and just resaving the credentials, it will erase the value of the password by ********.
What Operating System are you using (both controller, and any agents involved in the problem)?
Linux, but unrelated to OS
Reproduction steps
Create a credentials on a folder with a password set to 123.
As a user with Credentials/View and Credentials/Update permissions but lacking Item/Configure permission update the credentials without changing any fields, only by resaving.
Expected Results
As a user with Credentials/View and Credentials/Update permissions but lacking Item/Configure permission update the credentials without changing any fields do not erase the password value.
Actual Results
As a user with Credentials/View and Credentials/Update permissions but lacking Item/Configure permission update the credentials without changing any fields do erase the password value.
Anything else?
FTR: This behavior is unrelated to the recent core fix of Jenkins core on the masking of the password field, it was already happening in before.
Are you interested in contributing a fix?
No response