Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-8536

A user without delete history permissions can delete historic process instances

XMLWordPrintable

    • Icon: Bug Report Bug Report
    • Resolution: Won't Fix
    • Icon: L3 - Default L3 - Default
    • None
    • None
    • engine
    • None

      Given:

      • an existing user "kermit"
      • kermit has the following authorizations
        • Resource: Process Definition; Permissions: READ, READ_INSTANCE, READ_HISTORY; Resource Id: *
        • Resource: Batch; Permissions: *, Resource Id: *

      Note: Kermit does not have any permission to delete historic instances.

      When:
      Kermit deletes a batch of historic process instances (using the batch deletion of historic process instances), whereby the deletion is executed asynchronously.

      Then:
      A batch is created and the batch will be executed asynchronously. As a result, the historic process instances are deleted.

      But:
      When the batch deletion is executed synchronously, then the deletion fails with an AuthorizationException:

      The user with id 'kermit' does not have 'DELETE_HISTORY' permission on resource 'invoice' of type 'ProcessDefinition'.

      Problem:
      When executing the batch deletion asynchronously, there is no authorization check whether the user is allowed to delete those process instances.

      Expected Behavior:
      There is an authorization check to verify that the user is allowed to delete those process instances. The batch deletion behaves always in the same way independent if it is executed asynchronously or synchronously.

        This is the controller panel for Smart Panels app

              Unassigned Unassigned
              roman.smirnov Roman Smirnov
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: