Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-9623

Handle regressions in Authorization related to newly introduced Permissions

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Fixed
    • Icon: L3 - Default L3 - Default
    • 7.11.0, 7.11.0-alpha1
    • None
    • engine
    • None

      The duplicated values of the Permissions lead to problems when checking the authorizations. For example Permissions.CREATE_BATCH_DELETE_DECISION_INSTANCES and Permissions.UPDATE_INSTANCE values are duplicated.

      Please check the following test case:

        public void testAuthorizations() {
    Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    authorization.setUserId(userId);
    authorization.addPermission(BatchPermissions.CREATE_BATCH_DELETE_DECISION_INSTANCES);
    authorization.setResource(Resources.BATCH);
    authorization.setResourceId(ANY);
    authorizationService.saveAuthorization(authorization);

    processEngineConfiguration.setAuthorizationEnabled(true);
    assertEquals(false, authorizationService.isUserAuthorized(userId, Arrays.asList(groupId), Permissions.UPDATE_INSTANCE, Resources.BATCH));
    assertEquals(true, authorizationService.isUserAuthorized(userId, Arrays.asList(groupId), BatchPermissions.CREATE_BATCH_DELETE_DECISION_INSTANCES, Resources.BATCH));
    assertTrue(authorization.isPermissionRevoked(BatchPermissions.CREATE_BATCH_DELETE_DECISION_INSTANCES));
    assertFalse(authorization.isPermissionRevoked(Permissions.UPDATE_INSTANCE));
  }

      Investigate for all of the places where the duplication is problematic and fix accordingly.

      Rest API is affected as well: https://github.com/camunda/camunda-bpm-platform/blob/cf36405e281cf83860abadbe6c966fd8464519d6/engine-rest/engine-rest/src/main/java/org/camunda/bpm/engine/rest/AuthorizationRestService.java#L43
      Please have look at:
      https://github.com/camunda/camunda-bpm-platform/blob/cf36405e281cf83860abadbe6c966fd8464519d6/engine-rest/engine-rest/src/main/java/org/camunda/bpm/engine/rest/util/AuthorizationUtil.java#L37

        This is the controller panel for Smart Panels app

              thorben.lindhauer Thorben Lindhauer
              yana.vasileva Yana Vasileva
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: