L3 - Default User story
When submitting a submit POST request and adding variables, I want the access checks from Tasklist to apply so that users cannot submit unwanted variables or actions.
Background
End-users can submit-form POST requests to add and modify any variables of a process.
The desired implementation would be to apply access checks in the Tasklist also via the submit-form POST request to prevent end-users from altering variables they are not supposed to.
Steps to reproduce
Steps to reproduce (with a local installation):
- Use any BPMN Diagram with a "User Task" after some other tasks (Service Task, DMN ...).
- Claim the task in the Tasklist.
- Use any Rest Client and make a POST request to: `
http://localhost:8080/camunda/api/engine/engine/default/task/{task-uuid}/submit-form`
Headers:
content-type: application/json cookie: JSESSIONID=A8E3063D1BBBE60365029F414D0EE348; XSRF-TOKEN=906749563BBA83155426C47F77637E85 x-xsrf-token: 906749563BBA83155426C47F77637E85
Body:
{
"variables":{
"comment":{
"value": "This would be the only form field"
},
"some-other-variable":{
"value":"modified"
},
"some-dmn-result":{
"value": "100"
}
}
Acceptance criteria
- End user's can only submit variables according to the form-fields of the assigned task.
- Perform access checks to prevent unwanted submission of variables
