[JENKINS-75609] Missing avatar for private when Jenkins security is enabled

nfalco79 · nfalco79 · commit 1e43ef3d2aca · 2025-04-30T22:30:12.000+02:00
Fix code that retrieves a Jenkins item using an ACL context to avoid a null result when Jenkins security is enabled.
diff --git a/src/main/java/com/cloudbees/jenkins/plugins/bitbucket/impl/avatars/BitbucketAvatarImageSource.java b/src/main/java/com/cloudbees/jenkins/plugins/bitbucket/impl/avatars/BitbucketAvatarImageSource.java
@@ -30,6 +30,8 @@
 import com.cloudbees.plugins.credentials.common.StandardCredentials;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import edu.umd.cs.findbugs.annotations.Nullable;
+import hudson.security.ACL;
+import hudson.security.ACLContext;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import jenkins.authentication.tokens.api.AuthenticationTokens;
@@ -59,7 +61,12 @@ public BitbucketAvatarImageSource(@NonNull String avatarURL, @NonNull String ser
     public AvatarImage fetch() {
         try {
             if (canFetch()) {
-                SCMNavigatorOwner owner = Jenkins.get().getItemByFullName(scmOwner, SCMNavigatorOwner.class);
+                SCMNavigatorOwner owner = null;
+                // to access item when security (not matrix) is enabled or
+                // logged user does not have READ(DISCOVER) access on the item
+                try (ACLContext as = ACL.as2(ACL.SYSTEM2)) { // JENKINS-75609
+                    owner = Jenkins.get().getItemByFullName(scmOwner, SCMNavigatorOwner.class);
+                }
                 if (owner != null) {
                     StandardCredentials credentials = BitbucketCredentials.lookupCredentials(serverURL, owner, credentialsId, StandardCredentials.class);
                     BitbucketAuthenticator authenticator = AuthenticationTokens.convert(BitbucketAuthenticator.authenticationContext(serverURL), credentials);
diff --git a/src/main/java/com/cloudbees/jenkins/plugins/bitbucket/impl/extension/GitClientAuthenticatorExtension.java b/src/main/java/com/cloudbees/jenkins/plugins/bitbucket/impl/extension/GitClientAuthenticatorExtension.java
@@ -36,6 +36,8 @@
 import hudson.plugins.git.GitSCM;
 import hudson.plugins.git.extensions.GitSCMExtension;
 import hudson.plugins.git.extensions.GitSCMExtensionDescriptor;
+import hudson.security.ACL;
+import hudson.security.ACLContext;
 import java.util.Objects;
 import jenkins.authentication.tokens.api.AuthenticationTokens;
 import jenkins.model.Jenkins;
@@ -95,7 +97,12 @@ private BitbucketAuthenticator authenticator() {
         }
         StandardCredentials credentials;
         if (scmOwner != null) {
-            Item owner = Jenkins.get().getItemByFullName(scmOwner, Item.class);
+            Item owner = null;
+            // to access item when security (not matrix) is enabled or
+            // logged user does not have READ(DISCOVER) access on the item
+            try (ACLContext as = ACL.as2(ACL.SYSTEM2)) {
+                owner = Jenkins.get().getItemByFullName(scmOwner, Item.class);
+            }
             if (owner == null) {
                 throw new IllegalStateException("Item " + scmOwner + " seems to be relocated, perform a 'Scan project Now' action to refresh old data");
             }
