-
Type:
Bug Report
-
Resolution: Won't Fix
-
Priority:
L3 - Default
-
None
-
Affects Version/s: 7.4.0
-
Component/s: engine
-
None
-
Environment:Amazon Linux, Tomcat standalone distribution 7.4.0
Group level authorizations seem to be ignored on some REST API methods, including the following (possibly more).
- GET deployment
- GET process-definition
- GET process-instance
- GET group
For example, if we have an authorization on all deployments (permissions=ALL resource id = *) for a group bpm_admin, an authenticated member of that group should be able to query deployments via the GET deployment method. However, the method actually returns a 200 OK response with an empty response body.
If we add a user-specific authorization, the method responds correctly with the list of deployments.
This is the controller panel for Smart Panels app
- is related to
-
CAM-5134 I can read documentation how to disable authorization checks when using ldap plugin
-
- Closed
-