Jenkins before LTS version 2.121.3 and weekly version 2.138 allow unauthorized users to cancel scheduled restarts initiated from the update center. Users with Overall/Read permission were able to access the URL used to cancel scheduled restart jobs initiated via the update center ("Restart Jenkins when installation is complete and no jobs are running") due to a lack of permission checks. External Reference: https://jenkins.io/security/advisory/2018-08-15/#SECURITY-1076
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1620355]
By default Jenkins doesn't setup users with just Overall/Read permission. It's possible to setup such users but it's best not to rely on Agent/Connect permission to prevent cancellation of restart jobs because of this issue on OpenShift Container Platform 3.10 and earlier. Upgrade to OpenShift Container Platform 3.11 to pick up a fix for this issue.