The KPI report retrieval retrieves all reports of a given process regardless of authorization, yet the KPI report evaluation uses an evaluation method that performs an authorization check. This means if a user is authorized to see a process, but not authorized to access all of that processes KPI reports, the processes page breaks.
Instead, the KPI report evaluation should not perform a report authorization check.
Given: Both userA and userB have access to processA.
- Log in as userA and create a private KPI report for processA
- Log in as userB and go to the processes page.
The process overview retrieval will throw a ForbiddenException, leading to the page displaying an "You are not authorized to perform the requested action" error message and failing to load the process overview.
The process overview page should load without errors and display the KPI report result that userA created.