-
Type:
Bug Report
-
Resolution: Unresolved
-
Priority:
L3 - Default
-
None
-
Affects Version/s: None
-
Component/s: None
What are the steps to reproduce your problem?
In LDAP set up, if user query (as shown below) is executed via Delegation code, it throws an exception:
execution.getProcessEngine().getIdentityService().createUserQuery().userId(<<inputid>>).singleResult().getFirstName();
Error
xxx:TypeError: null has no such function "getFirstName" in <eval> at line number 14
For the quick reference, here are the test cases: https://github.com/camunda/camunda-bpm-platform/commit/2a74ca24d7e717d95753760a0596c6cec5731c02
What is the problem?
- Whenever delegation code (like scripts, java delegates, ...) are executed, the engine disables authorization checks: https://github.com/camunda/camunda-bpm-platform/blob/2a8a3a93a1ab65300aca68ff0184baad8fd82658/engine/src/main/java/org/camunda/bpm/engine/impl/delegate/DefaultDelegateInterceptor.java#L81
- Now, when using the LDAP identity provider and executing the user query, the LDAP plugin checks if the authenticated user is authorized to "read" the user:
- https://github.com/camunda/camunda-bpm-platform/blob/2a8a3a93a1ab65300aca68ff0184baad8fd82658/engine-plugins/identity-ldap/src/main/java/org/camunda/bpm/identity/impl/ldap/LdapIdentityProviderSession.java#L269
- https://github.com/camunda/camunda-bpm-platform/blob/2a8a3a93a1ab65300aca68ff0184baad8fd82658/engine-plugins/identity-ldap/src/main/java/org/camunda/bpm/identity/impl/ldap/LdapIdentityProviderSession.java#L662-L666
- But when doing the authorization check, the LDAP plugin provider does not consider that the query is executed as part of a delegation code. Hence, it does not check if the authorization is disabled in the current command context.
- This is different when using the DB identity provider when doing the user query the engine disables the authorization check as it is disabled in the command context.
Referenced from: https://jira.camunda.com/browse/SUPPORT-8028?focusedCommentId=146823&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-146823
What would be the expected behavior:
There should not be any issue in executing delegation code when using LDAP identity provider.
Hints (optional):
- Things to consider - if we should think about backward compatibility when changing that behavior in the LDAP identity provider.