Details
-
Bug Report
-
Resolution: Unresolved
-
L3 - Default
-
None
-
7.11.0-alpha3, 7.12.0-alpha1, 7.12.0-alpha2, 7.12.0-alpha3, 7.12.0-alpha4
-
None
Description
Given scenario:
1. Process Instance contains variables (Process instance variable scope)
2. A user is granted a READ_VARIABLES permission for all tasks.
Expected:
The user tries to fetch the variables for this process instance, they do not see the variables.
Currently:
The variables are retrieved. Test case [1]
Observations:
When we build the query, the variable table is left joined to the authorization table like this:
... LEFT JOIN ( SELECT A.* FROM ACT_RU_AUTHORIZATION A WHERE A.TYPE_ < 2 AND ( A.USER_ID_ IN ( 'test' ,'*' ) ) AND ( ( A.RESOURCE_TYPE_ = 6 AND BITAND(A.PERMS_, 2097152) = 2097152 OR A.RESOURCE_TYPE_ = 7 AND BITAND(A.PERMS_, 64) = 64 ) ) ) AUTH ON ( AUTH.RESOURCE_ID_ IN ( RES.PROC_INST_ID_ ,PROC_EXECUTION.ID_ ,PROCDEF.KEY_ ,RES.TASK_ID_ ,'*' ) ) ...
Problems:
- the AUTH.RESOURCE_ID_ IN part is hardcoded [2]
- the different resource types are not coupled to the specific id to which they are joined. In other words: the join must be based on resource_id in and resource type permissions.
Concerns:
This is not the only place where this situation exists:
[1]: https://github.com/camunda/camunda-bpm-platform/blob/1b2d4b9087d07788bc75736d0470ac1ee5ba1cca/engine/src/test/java/org/camunda/bpm/engine/test/api/authorization/VariableInstanceAuthorizationTest.java#L171-L183
[2]: https://github.com/camunda/camunda-bpm-platform/blob/e0fa270bd8ad1d5e61582af704501129016078af/engine/src/main/resources/org/camunda/bpm/engine/impl/mapping/entity/VariableInstance.xml#L318-L325