Details
-
Bug Report
-
Resolution: Won't Fix
-
L3 - Default
-
None
-
None
-
None
Description
Given:
- an existing user "kermit"
- kermit has the following authorizations
- Resource: Process Definition; Permissions: READ, READ_INSTANCE, READ_HISTORY; Resource Id: *
- Resource: Batch; Permissions: *, Resource Id: *
Note: Kermit does not have any permission to delete historic instances.
When:
Kermit deletes a batch of historic process instances (using the batch deletion of historic process instances), whereby the deletion is executed asynchronously.
Then:
A batch is created and the batch will be executed asynchronously. As a result, the historic process instances are deleted.
But:
When the batch deletion is executed synchronously, then the deletion fails with an AuthorizationException:
The user with id 'kermit' does not have 'DELETE_HISTORY' permission on resource 'invoice' of type 'ProcessDefinition'.
Problem:
When executing the batch deletion asynchronously, there is no authorization check whether the user is allowed to delete those process instances.
Expected Behavior:
There is an authorization check to verify that the user is allowed to delete those process instances. The batch deletion behaves always in the same way independent if it is executed asynchronously or synchronously.
mgm-controller-panel
This is the controller panel for Smart Panels app
Attachments
Issue Links
- is related to
-
CAM-8432 I can delete historic decision instances using the Java API
-
- Closed
-