Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-8751

Increment Retries of failed External Task without authorization

XMLWordPrintable

      1. Scenario:
      • Me, as an user, has only permissions to read a process instance.
      • There exist an incident on an external task (retries are zero)
      • Me tries to update the retries via cockpit.
      • Cockpit shows me the message Finished : Incrementing the number of retries finished successfully.
      • But in the console I see: 
        16-Feb-2018 08:30:32.770 WARNING [http-nio-8080-exec-11] org.camunda.bpm.engine.rest.exception.ProcessEngineExceptionHandler.toResponse org.camunda.bpm.engine.AuthorizationException: The user with id 'john' does not have one of the following permissions: 'UPDATE' permission on resource 'fb1a12f2-12e9-11e8-ba9c-0242debfd039' of type 'ProcessInstance' or 'UPDATE_INSTANCE' permission on resource 'Process_1' of type 'ProcessDefinition'
        at org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager.checkAuthorization(AuthorizationManager.java:232)
        at org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager.checkAuthorization(AuthorizationManager.java:189)
        at org.camunda.bpm.engine.impl.cfg.auth.AuthorizationCommandChecker.checkUpdateProcessInstance(AuthorizationCommandChecker.java:204)
        at org.camunda.bpm.engine.impl.cfg.auth.AuthorizationCommandChecker.checkUpdateProcessInstanceById(AuthorizationCommandChecker.java:178)
        at org.camunda.bpm.engine.impl.cmd.ExternalTaskCmd.execute(ExternalTaskCmd.java:55)
        at org.camunda.bpm.engine.impl.cmd.ExternalTaskCmd.execute(ExternalTaskCmd.java:34)
        at org.camunda.bpm.engine.impl.interceptor.CommandExecutorImpl.execute(CommandExecutorImpl.java:24)
        at org.camunda.bpm.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:104)
        at org.camunda.bpm.engine.impl.interceptor.ProcessApplicationContextInterceptor.execute(ProcessApplicationContextInterceptor.java:66)
        at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:30)
        at org.camunda.bpm.engine.impl.ExternalTaskServiceImpl.setRetries(ExternalTaskServiceImpl.java:69)
        at org.camunda.bpm.engine.impl.ExternalTaskServiceImpl.setRetries(ExternalTaskServiceImpl.java:86)
        at org.camunda.bpm.engine.rest.sub.externaltask.impl.ExternalTaskResourceImpl.setRetries(ExternalTaskResourceImpl.java:83)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
        at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257)
        at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222)
        at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
        at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
        at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
        at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
        at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.camunda.bpm.engine.rest.filter.CacheControlFilter.doFilter(CacheControlFilter.java:41)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.camunda.bpm.engine.rest.filter.EmptyBodyFilter.doFilter(EmptyBodyFilter.java:95)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilterSecure(SecurityFilter.java:67)
        at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilter(SecurityFilter.java:51)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:58)
        at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:56)
        at org.camunda.bpm.webapp.impl.security.SecurityActions.runWithAuthentications(SecurityActions.java:40)
        at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:56)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
      1. How to reproduce
      • Run tomcat 7.8.1
      • create the exampleWarProject and deploy it
      • Login as demo
      • Adjust Permissions for sales group:
        • Sales group needs to have access to cockpit
        • On Process definition level they need READ, READ_INSTANCE, READ_HISTORY permission
        • On process instance level they need READ permission
      • start process with Demo user
      • fetchAndLock the ExternalTask and call handleFailure with 0 retries (via REST)
      • login with john
      • open cockpit and try to resolve incident with updating retries
      • successful message is shown and error is printed in the log (server/apache-tomcat-8.0.47/logs/catalina.out)

        This is the controller panel for Smart Panels app

          1. exampleWarProject.zip
            1.37 MB
          2. screen.jpg
            screen.jpg
            21 kB

            [CAM-8751] Increment Retries of failed External Task without authorization

            Christopher Kujawa created issue -
            Christopher Kujawa made changes -
            Description Original: # Scenario:

             * Me, as an user, has only permissions to read a process instance.
             * There exist an incident on an external task (retries are zero)
             * Me tries to update the retries via cockpit.
             * Cockpit shows me the message {{Finished : Incrementing the number of retries finished successfully.}}
             * But in the console I see:
            {code}
            16-Feb-2018 08:30:32.770 WARNING [http-nio-8080-exec-11] org.camunda.bpm.engine.rest.exception.ProcessEngineExceptionHandler.toResponse org.camunda.bpm.engine.AuthorizationException: The user with id 'john' does not have one of the following permissions: 'UPDATE' permission on resource 'fb1a12f2-12e9-11e8-ba9c-0242debfd039' of type 'ProcessInstance' or 'UPDATE_INSTANCE' permission on resource 'Process_1' of type 'ProcessDefinition'
                    at org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager.checkAuthorization(AuthorizationManager.java:232)
                    at org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager.checkAuthorization(AuthorizationManager.java:189)
                    at org.camunda.bpm.engine.impl.cfg.auth.AuthorizationCommandChecker.checkUpdateProcessInstance(AuthorizationCommandChecker.java:204)
                    at org.camunda.bpm.engine.impl.cfg.auth.AuthorizationCommandChecker.checkUpdateProcessInstanceById(AuthorizationCommandChecker.java:178)
                    at org.camunda.bpm.engine.impl.cmd.ExternalTaskCmd.execute(ExternalTaskCmd.java:55)
                    at org.camunda.bpm.engine.impl.cmd.ExternalTaskCmd.execute(ExternalTaskCmd.java:34)
                    at org.camunda.bpm.engine.impl.interceptor.CommandExecutorImpl.execute(CommandExecutorImpl.java:24)
                    at org.camunda.bpm.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:104)
                    at org.camunda.bpm.engine.impl.interceptor.ProcessApplicationContextInterceptor.execute(ProcessApplicationContextInterceptor.java:66)
                    at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:30)
                    at org.camunda.bpm.engine.impl.ExternalTaskServiceImpl.setRetries(ExternalTaskServiceImpl.java:69)
                    at org.camunda.bpm.engine.impl.ExternalTaskServiceImpl.setRetries(ExternalTaskServiceImpl.java:86)
                    at org.camunda.bpm.engine.rest.sub.externaltask.impl.ExternalTaskResourceImpl.setRetries(ExternalTaskResourceImpl.java:83)
                    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                    at java.lang.reflect.Method.invoke(Method.java:498)
                    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
                    at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257)
                    at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222)
                    at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
                    at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
                    at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
                    at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
                    at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
                    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
                    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
                    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
                    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
                    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
                    at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.camunda.bpm.engine.rest.filter.CacheControlFilter.doFilter(CacheControlFilter.java:41)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.camunda.bpm.engine.rest.filter.EmptyBodyFilter.doFilter(EmptyBodyFilter.java:95)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilterSecure(SecurityFilter.java:67)
                    at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilter(SecurityFilter.java:51)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:58)
                    at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:56)
                    at org.camunda.bpm.webapp.impl.security.SecurityActions.runWithAuthentications(SecurityActions.java:40)
                    at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:56)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
                    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
                    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
                    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
                    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
                    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
                    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
                    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
                    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
                    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
                    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
                    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
                    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
                    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
                    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                    at java.lang.Thread.run(Thread.java:748)
            {code}


            # How to reproduce

             * Run tomcat 7.8.1
             * create the exampleWarProject and deploy it
             * Login as demo
             * Adjust Permissions for sales group:
              ** Sales group needs to have access to cockpit
              ** On Process definition level they need {{READ, READ_INSTANCE, READ_HISTORY}} permission
              ** On process instance level they need {{READ}} permission
              * start with Demo user the process
             * fetchAndLock the ExternalTask and call failed with 0 retries
             * login with john
             * open cockpit and try to resolve incident with update retries
             * successful message is shown and error is printed in the log ({{server/apache-tomcat-8.0.47/logs/catalina.out}})
                          		New: # Scenario:

             * Me, as an user, has only permissions to read a process instance.
             * There exist an incident on an external task (retries are zero)
             * Me tries to update the retries via cockpit.
             * Cockpit shows me the message {{Finished : Incrementing the number of retries finished successfully.}}
             * But in the console I see:
            {code}
            16-Feb-2018 08:30:32.770 WARNING [http-nio-8080-exec-11] org.camunda.bpm.engine.rest.exception.ProcessEngineExceptionHandler.toResponse org.camunda.bpm.engine.AuthorizationException: The user with id 'john' does not have one of the following permissions: 'UPDATE' permission on resource 'fb1a12f2-12e9-11e8-ba9c-0242debfd039' of type 'ProcessInstance' or 'UPDATE_INSTANCE' permission on resource 'Process_1' of type 'ProcessDefinition'
                    at org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager.checkAuthorization(AuthorizationManager.java:232)
                    at org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager.checkAuthorization(AuthorizationManager.java:189)
                    at org.camunda.bpm.engine.impl.cfg.auth.AuthorizationCommandChecker.checkUpdateProcessInstance(AuthorizationCommandChecker.java:204)
                    at org.camunda.bpm.engine.impl.cfg.auth.AuthorizationCommandChecker.checkUpdateProcessInstanceById(AuthorizationCommandChecker.java:178)
                    at org.camunda.bpm.engine.impl.cmd.ExternalTaskCmd.execute(ExternalTaskCmd.java:55)
                    at org.camunda.bpm.engine.impl.cmd.ExternalTaskCmd.execute(ExternalTaskCmd.java:34)
                    at org.camunda.bpm.engine.impl.interceptor.CommandExecutorImpl.execute(CommandExecutorImpl.java:24)
                    at org.camunda.bpm.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:104)
                    at org.camunda.bpm.engine.impl.interceptor.ProcessApplicationContextInterceptor.execute(ProcessApplicationContextInterceptor.java:66)
                    at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:30)
                    at org.camunda.bpm.engine.impl.ExternalTaskServiceImpl.setRetries(ExternalTaskServiceImpl.java:69)
                    at org.camunda.bpm.engine.impl.ExternalTaskServiceImpl.setRetries(ExternalTaskServiceImpl.java:86)
                    at org.camunda.bpm.engine.rest.sub.externaltask.impl.ExternalTaskResourceImpl.setRetries(ExternalTaskResourceImpl.java:83)
                    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                    at java.lang.reflect.Method.invoke(Method.java:498)
                    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
                    at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257)
                    at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222)
                    at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
                    at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
                    at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
                    at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
                    at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
                    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
                    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
                    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
                    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
                    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
                    at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.camunda.bpm.engine.rest.filter.CacheControlFilter.doFilter(CacheControlFilter.java:41)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.camunda.bpm.engine.rest.filter.EmptyBodyFilter.doFilter(EmptyBodyFilter.java:95)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilterSecure(SecurityFilter.java:67)
                    at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilter(SecurityFilter.java:51)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:58)
                    at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:56)
                    at org.camunda.bpm.webapp.impl.security.SecurityActions.runWithAuthentications(SecurityActions.java:40)
                    at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:56)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
                    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
                    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
                    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
                    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
                    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
                    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
                    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
                    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
                    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
                    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
                    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
                    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
                    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
                    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                    at java.lang.Thread.run(Thread.java:748)
            {code}

            ----

            # How to reproduce

             * Run tomcat 7.8.1
             * create the exampleWarProject and deploy it
             * Login as demo
             * Adjust Permissions for sales group:
              ** Sales group needs to have access to cockpit
              ** On Process definition level they need {{READ, READ_INSTANCE, READ_HISTORY}} permission
              ** On process instance level they need {{READ}} permission
              * start with Demo user the process
             * fetchAndLock the ExternalTask and call failed with 0 retries
             * login with john
             * open cockpit and try to resolve incident with update retries
             * successful message is shown and error is printed in the log ({{server/apache-tomcat-8.0.47/logs/catalina.out}})
             
            Christopher Kujawa made changes -
            Description Original: # Scenario:

             * Me, as an user, has only permissions to read a process instance.
             * There exist an incident on an external task (retries are zero)
             * Me tries to update the retries via cockpit.
             * Cockpit shows me the message {{Finished : Incrementing the number of retries finished successfully.}}
             * But in the console I see:
            {code}
            16-Feb-2018 08:30:32.770 WARNING [http-nio-8080-exec-11] org.camunda.bpm.engine.rest.exception.ProcessEngineExceptionHandler.toResponse org.camunda.bpm.engine.AuthorizationException: The user with id 'john' does not have one of the following permissions: 'UPDATE' permission on resource 'fb1a12f2-12e9-11e8-ba9c-0242debfd039' of type 'ProcessInstance' or 'UPDATE_INSTANCE' permission on resource 'Process_1' of type 'ProcessDefinition'
                    at org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager.checkAuthorization(AuthorizationManager.java:232)
                    at org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager.checkAuthorization(AuthorizationManager.java:189)
                    at org.camunda.bpm.engine.impl.cfg.auth.AuthorizationCommandChecker.checkUpdateProcessInstance(AuthorizationCommandChecker.java:204)
                    at org.camunda.bpm.engine.impl.cfg.auth.AuthorizationCommandChecker.checkUpdateProcessInstanceById(AuthorizationCommandChecker.java:178)
                    at org.camunda.bpm.engine.impl.cmd.ExternalTaskCmd.execute(ExternalTaskCmd.java:55)
                    at org.camunda.bpm.engine.impl.cmd.ExternalTaskCmd.execute(ExternalTaskCmd.java:34)
                    at org.camunda.bpm.engine.impl.interceptor.CommandExecutorImpl.execute(CommandExecutorImpl.java:24)
                    at org.camunda.bpm.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:104)
                    at org.camunda.bpm.engine.impl.interceptor.ProcessApplicationContextInterceptor.execute(ProcessApplicationContextInterceptor.java:66)
                    at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:30)
                    at org.camunda.bpm.engine.impl.ExternalTaskServiceImpl.setRetries(ExternalTaskServiceImpl.java:69)
                    at org.camunda.bpm.engine.impl.ExternalTaskServiceImpl.setRetries(ExternalTaskServiceImpl.java:86)
                    at org.camunda.bpm.engine.rest.sub.externaltask.impl.ExternalTaskResourceImpl.setRetries(ExternalTaskResourceImpl.java:83)
                    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                    at java.lang.reflect.Method.invoke(Method.java:498)
                    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
                    at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257)
                    at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222)
                    at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
                    at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
                    at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
                    at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
                    at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
                    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
                    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
                    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
                    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
                    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
                    at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.camunda.bpm.engine.rest.filter.CacheControlFilter.doFilter(CacheControlFilter.java:41)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.camunda.bpm.engine.rest.filter.EmptyBodyFilter.doFilter(EmptyBodyFilter.java:95)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilterSecure(SecurityFilter.java:67)
                    at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilter(SecurityFilter.java:51)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:58)
                    at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:56)
                    at org.camunda.bpm.webapp.impl.security.SecurityActions.runWithAuthentications(SecurityActions.java:40)
                    at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:56)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
                    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
                    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
                    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
                    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
                    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
                    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
                    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
                    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
                    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
                    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
                    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
                    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
                    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
                    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                    at java.lang.Thread.run(Thread.java:748)
            {code}

            ----

            # How to reproduce

             * Run tomcat 7.8.1
             * create the exampleWarProject and deploy it
             * Login as demo
             * Adjust Permissions for sales group:
              ** Sales group needs to have access to cockpit
              ** On Process definition level they need {{READ, READ_INSTANCE, READ_HISTORY}} permission
              ** On process instance level they need {{READ}} permission
              * start with Demo user the process
             * fetchAndLock the ExternalTask and call failed with 0 retries
             * login with john
             * open cockpit and try to resolve incident with update retries
             * successful message is shown and error is printed in the log ({{server/apache-tomcat-8.0.47/logs/catalina.out}})
                          		New: # Scenario:

             * Me, as an user, has only permissions to read a process instance.
             * There exist an incident on an external task (retries are zero)
             * Me tries to update the retries via cockpit.
             * Cockpit shows me the message {{Finished : Incrementing the number of retries finished successfully.}}
             * But in the console I see:
            {code}
            16-Feb-2018 08:30:32.770 WARNING [http-nio-8080-exec-11] org.camunda.bpm.engine.rest.exception.ProcessEngineExceptionHandler.toResponse org.camunda.bpm.engine.AuthorizationException: The user with id 'john' does not have one of the following permissions: 'UPDATE' permission on resource 'fb1a12f2-12e9-11e8-ba9c-0242debfd039' of type 'ProcessInstance' or 'UPDATE_INSTANCE' permission on resource 'Process_1' of type 'ProcessDefinition'
                    at org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager.checkAuthorization(AuthorizationManager.java:232)
                    at org.camunda.bpm.engine.impl.persistence.entity.AuthorizationManager.checkAuthorization(AuthorizationManager.java:189)
                    at org.camunda.bpm.engine.impl.cfg.auth.AuthorizationCommandChecker.checkUpdateProcessInstance(AuthorizationCommandChecker.java:204)
                    at org.camunda.bpm.engine.impl.cfg.auth.AuthorizationCommandChecker.checkUpdateProcessInstanceById(AuthorizationCommandChecker.java:178)
                    at org.camunda.bpm.engine.impl.cmd.ExternalTaskCmd.execute(ExternalTaskCmd.java:55)
                    at org.camunda.bpm.engine.impl.cmd.ExternalTaskCmd.execute(ExternalTaskCmd.java:34)
                    at org.camunda.bpm.engine.impl.interceptor.CommandExecutorImpl.execute(CommandExecutorImpl.java:24)
                    at org.camunda.bpm.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:104)
                    at org.camunda.bpm.engine.impl.interceptor.ProcessApplicationContextInterceptor.execute(ProcessApplicationContextInterceptor.java:66)
                    at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:30)
                    at org.camunda.bpm.engine.impl.ExternalTaskServiceImpl.setRetries(ExternalTaskServiceImpl.java:69)
                    at org.camunda.bpm.engine.impl.ExternalTaskServiceImpl.setRetries(ExternalTaskServiceImpl.java:86)
                    at org.camunda.bpm.engine.rest.sub.externaltask.impl.ExternalTaskResourceImpl.setRetries(ExternalTaskResourceImpl.java:83)
                    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                    at java.lang.reflect.Method.invoke(Method.java:498)
                    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
                    at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257)
                    at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222)
                    at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
                    at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
                    at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
                    at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
                    at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
                    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
                    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
                    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
                    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
                    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
                    at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.camunda.bpm.engine.rest.filter.CacheControlFilter.doFilter(CacheControlFilter.java:41)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.camunda.bpm.engine.rest.filter.EmptyBodyFilter.doFilter(EmptyBodyFilter.java:95)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilterSecure(SecurityFilter.java:67)
                    at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilter(SecurityFilter.java:51)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:58)
                    at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:56)
                    at org.camunda.bpm.webapp.impl.security.SecurityActions.runWithAuthentications(SecurityActions.java:40)
                    at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:56)
                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
                    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
                    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
                    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
                    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
                    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
                    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
                    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
                    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
                    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
                    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
                    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
                    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
                    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
                    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
                    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                    at java.lang.Thread.run(Thread.java:748)
            {code}

            ----

            # How to reproduce

             * Run tomcat 7.8.1
             * create the exampleWarProject and deploy it
             * Login as demo
             * Adjust Permissions for sales group:
              ** Sales group needs to have access to cockpit
              ** On Process definition level they need {{READ, READ_INSTANCE, READ_HISTORY}} permission
              ** On process instance level they need {{READ}} permission
              * start process with Demo user
             * fetchAndLock the ExternalTask and call handleFailure with 0 retries (via REST)
             * login with john
             * open cockpit and try to resolve incident with updating retries
             * successful message is shown and error is printed in the log ({{server/apache-tomcat-8.0.47/logs/catalina.out}})
             
            Christopher Kujawa made changes -
            Link New: This issue is depended on by SUPPORT-4070 [ SUPPORT-4070 ]
            Roman Smirnov made changes -
            Fix Version/s New: 7.9.0 [ 15096 ]
            Roman Smirnov made changes -
            Assignee New: Fabian [ fabian.hinsenkamp ]
            Roman Smirnov made changes -
            Rank New: Ranked higher
            Fabian made changes -
            Status Original: Open [ 1 ] New: In Progress [ 3 ]
            Roman Smirnov made changes -
            Fix Version/s New: 7.8.3 [ 15196 ]
            Fix Version/s Original: 7.8.x [ 14900 ]
            Fabian made changes -
            Assignee Original: Fabian [ fabian.hinsenkamp ] New: Seif [ seif.ghezala ]
            Resolution New: Fixed [ 1 ]
            Status Original: In Progress [ 3 ] New: Resolved [ 5 ]
            Remaining Estimate New: 0 minutes [ 0 ]
            Original Estimate New: 0 minutes [ 0 ]

              michael.schoettes Michael Schoettes
              christopher.zell Christopher Kujawa
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: