Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-12400

Perform access checks in Tasklist also on submit POST requests

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Won't Fix
    • Icon: L3 - Default L3 - Default
    • None
    • None
    • None

      User story

      When submitting a submit POST request and adding variables, I want the access checks from Tasklist to apply so that users cannot submit unwanted variables or actions.

      Background

      End-users can submit-form POST requests to add and modify any variables of a process. 

      The desired implementation would be to apply access checks in the Tasklist also via the submit-form POST request to prevent end-users from altering variables they are not supposed to.

      Steps to reproduce

      Steps to reproduce (with a local installation):

      1. Use any BPMN Diagram with a "User Task" after some other tasks (Service Task, DMN ...).
      2. Claim the task in the Tasklist.
      3. Use any Rest Client and make a POST request to: `
        http://localhost:8080/camunda/api/engine/engine/default/task/{task-uuid}/submit-form`

      Headers: 

       

      content-type: application/json
       cookie: JSESSIONID=A8E3063D1BBBE60365029F414D0EE348; XSRF-TOKEN=906749563BBA83155426C47F77637E85
       x-xsrf-token: 906749563BBA83155426C47F77637E85

       

      Body:

      {
         "variables":{
            "comment":{
               "value": "This would be the only form field"
            },
            "some-other-variable":{
               "value":"modified"
            },
            "some-dmn-result":{
               "value": "100"
            }
         }
      

       

      Acceptance criteria

      • End user's can only submit variables according to the form-fields of the assigned task.
        • Perform access checks to prevent unwanted submission of variables 

        This is the controller panel for Smart Panels app

              Unassigned Unassigned
              andre.bappert Andre
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: