[SECURITY-3206]

Author: mtughan

src/main/java/org/jenkinsci/plugins/scriptler/ScriptlerManagement.java

@@ -30,6 +30,7 @@
 import hudson.markup.MarkupFormatter;
 import hudson.markup.RawHtmlMarkupFormatter;
 import hudson.model.*;
+import hudson.security.AccessControlled;
 import hudson.security.Permission;
 import jenkins.model.Jenkins;
 import org.apache.commons.fileupload.FileItem;
@@ -637,8 +638,13 @@ private String[] resolveSlaveNames(String nameAlias) {
      * @throws IOException
      * @throws ServletException
      */
-    public void doShowScript(StaplerRequest req, StaplerResponse rsp, @QueryParameter("id") String id) throws IOException, ServletException {
-        // action directly accessible to any people configuring job, so no permission check
+    public void doShowScript(StaplerRequest req, StaplerResponse rsp, @AncestorInPath Item item, @QueryParameter("id") String id) throws IOException, ServletException {
+        // action directly accessible to any people configuring job, so use a more lenient permission check
+        Jenkins jenkins = Jenkins.get();
+        if (!jenkins.hasAnyPermission(ScriptlerPermissions.RUN_SCRIPTS, ScriptlerPermissions.CONFIGURE)) {
+            AccessControlled parent = item == null ? jenkins : item;
+            parent.checkPermission(Item.CONFIGURE);
+        }
         Script script = ScriptHelper.getScript(id, true);
         req.setAttribute("script", script);
         req.getView(this, "show.jelly").forward(req, rsp);

src/main/java/org/jenkinsci/plugins/scriptler/TransientActionProvider.java

@@ -0,0 +1,33 @@
+package org.jenkinsci.plugins.scriptler;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Extension;
+import hudson.model.Action;
+import hudson.model.Job;
+import java.util.Collection;
+import java.util.Collections;
+import jenkins.model.TransientActionFactory;
+
+@Extension
+public class TransientActionProvider extends TransientActionFactory<Job> {
+    @Override
+    public Class<Job> type() {
+        return Job.class;
+    }
+
+    @NonNull
+    @Override
+    public Collection<? extends Action> createFor(@NonNull Job target) {
+        return Collections.singleton(new ScriptlerManagement() {
+            @Override
+            public String getIconFileName() {
+                return null;
+            }
+
+            @Override
+            public String getDisplayName() {
+                return null;
+            }
+        });
+    }
+}

src/main/resources/org/jenkinsci/plugins/scriptler/builder/ScriptlerBuilder/config.jelly

@@ -20,7 +20,7 @@
 			<f:entry title="${%Script}" field="buildStepContent">
 			    <input type="hidden" name="backupJobName" />
 			    <input type="hidden" name="builderId" value="${instance.builderId}" />
-				<select name="scriptlerScriptId" onChange="scriptler_initDetailLink('${rootURL}', this);scriptler_showParams(this, this.value);" >
+				<select name="scriptlerScriptId" data-item-url="${it.url}" onChange="scriptler_initDetailLink('${rootURL}', this);scriptler_showParams(this, this.value);" >
 					<option value="">(Default)</option>
 					<j:forEach var="inst" items="${descriptor.scripts}" varStatus="loop">
 						<j:choose>

src/main/webapp/lib/scriptler.js

@@ -1,13 +1,14 @@
 
 function scriptler_initDetailLink(rootURL, referenceTag){
+   var itemURL = referenceTag.getAttribute('data-item-url');
    var selId = referenceTag.value;
    var all = new Array();
    all = document.getElementsByName('scriptlerScriptId');
    for(var i = 0; i < all.length; i++) {
 	   if(referenceTag == all.item(i)){
 		   var detailsLinkTag = document.getElementsByName('showScriptlerDetailLink').item(i);
 		   if(selId.length != 0){
-			   detailsLinkTag .href=rootURL+"/scriptler/showScript?id=".concat(selId);
+			   detailsLinkTag .href=rootURL+"/" + itemURL + "scriptler/showScript?id=".concat(selId);
 			   detailsLinkTag .style.display = 'block';
 			}else{
 			   detailsLinkTag .style.display = 'none';