User story
When submitting a submit POST request and adding variables, I want the access checks from Tasklist to apply so that users cannot submit unwanted variables or actions.
Background
End-users can submit-form POST requests to add and modify any variables of a process.
The desired implementation would be to apply access checks in the Tasklist also via the submit-form POST request to prevent end-users from altering variables they are not supposed to.
Steps to reproduce
Steps to reproduce (with a local installation):
- Use any BPMN Diagram with a "User Task" after some other tasks (Service Task, DMN ...).
- Claim the task in the Tasklist.
- Use any Rest Client and make a POST request to: `
http://localhost:8080/camunda/api/engine/engine/default/task/{task-uuid}/submit-form`
Headers:
content-type: application/json cookie: JSESSIONID=A8E3063D1BBBE60365029F414D0EE348; XSRF-TOKEN=906749563BBA83155426C47F77637E85 x-xsrf-token: 906749563BBA83155426C47F77637E85
Body:
{ "variables":{ "comment":{ "value": "This would be the only form field" }, "some-other-variable":{ "value":"modified" }, "some-dmn-result":{ "value": "100" } }
Acceptance criteria
- End user's can only submit variables according to the form-fields of the assigned task.
- Perform access checks to prevent unwanted submission of variables
This is the controller panel for Smart Panels app
Perform access checks in Tasklist also on submit POST requests
User story
When submitting a submit POST request and adding variables, I want the access checks from Tasklist to apply so that users cannot submit unwanted variables or actions.
Background
End-users can submit-form POST requests to add and modify any variables of a process.
The desired implementation would be to apply access checks in the Tasklist also via the submit-form POST request to prevent end-users from altering variables they are not supposed to.
Steps to reproduce
Steps to reproduce (with a local installation):
- Use any BPMN Diagram with a "User Task" after some other tasks (Service Task, DMN ...).
- Claim the task in the Tasklist.
- Use any Rest Client and make a POST request to: `
http://localhost:8080/camunda/api/engine/engine/default/task/{task-uuid}/submit-form`
Headers:
content-type: application/json cookie: JSESSIONID=A8E3063D1BBBE60365029F414D0EE348; XSRF-TOKEN=906749563BBA83155426C47F77637E85 x-xsrf-token: 906749563BBA83155426C47F77637E85
Body:
{ "variables":{ "comment":{ "value": "This would be the only form field" }, "some-other-variable":{ "value":"modified" }, "some-dmn-result":{ "value": "100" } }
Acceptance criteria
- End user's can only submit variables according to the form-fields of the assigned task.
- Perform access checks to prevent unwanted submission of variables