Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-10728

Webapp displays administrative options by hard-checking against camunda-admin group

    XMLWordPrintable

    Details

      Description

      In admin, there are administrative system settings (e.g. submitting a license) that requires to be a member of an admin group or to be an admin user. The frontend currently makes a query that checks for membership in the group camunda-admin to verify this, however camunda-admin is only the default admin group and via the engine configuration arbitrary groups and users can be declared as admins.

      HTTP request: http://localhost:8080/camunda/api/engine/engine/default/user?memberOfGroup=camunda-admin

      In consequence, the frontend will either wrongfully hide the adminstrative options or the query may fail (e.g. when using LDAP and the group does not exist in LDAP).

      Impact:

      • A failing query with an exception logged whenever the Admin dashboard is accessed
      • Administrator users cannot see the links to Execution Metrics and License Key in the Admin dashboard

      Workaround:

        Attachments

          Activity

            People

            Assignee:
            akif.hazarvi Akif Hazarvi
            Reporter:
            thorben.lindhauer Thorben Lindhauer
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: