Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-11624

Some historic task instance reports have redundant auth checks

    XMLWordPrintable

    Details

    • Type: Bug Report
    • Status: Closed
    • Priority: L3 - Default
    • Resolution: Fixed
    • Affects Version/s: 7.13.0, 7.11.10, 7.10.16, 7.12.3
    • Fix Version/s: 7.13.0, 7.13.0-alpha3
    • Component/s: None
    • Labels:
      None

      Description

      Problem

      • The HistoryService#createHistoricTaskInstanceReport needs READ_HISTORY on ANY TASK for the following API calls:
        • HistoryService#createHistoricTaskInstanceReport#countByTaskName
        • HistoryService#createHistoricTaskInstanceReport#countByProcessDefinitionKey
        • HistoryService#createHistoricTaskInstanceReport#duration
      • Before the authentication check is performed, another check is performed which requires READ_HISTORY on ANY PROCESS_DEFINITION
      • This means a user needs both authentications to call the API methods
      • This behavior is wrong since a user already has access to historic task instances when READ_HISTORY on ANY PROCESS_DEFINITION is granted

      Solution
      Remove redundant auth check: READ_HISTORY on ANY TASK

      AT

      • Remove redundant auth check: READ_HISTORY on ANY TASK
      • Deprecation javadocs for Permissions on READ_HISTORY is in place
      • Annotate TaskPermissions#READ_HISTORY with @Deprecated

      Cleanup

      • Remove never called CommandChecker#checkReadHistoryAnyTaskInstance
      • Adjust HistoricTaskInstanceAuthorizationTest

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              nikola.koevski Nikola Koevski
              Reporter:
              tassilo.weidner Tassilo Weidner
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: