Details
-
Bug Report
-
Resolution: Fixed
-
L3 - Default
-
3.9.0-alpha2
-
None
-
Not defined
Description
Brief summary of the bug. What is it ? Where is it ?
Context:
The KPI report retrieval retrieves all reports of a given process regardless of authorization, yet the KPI report evaluation uses an evaluation method that performs an authorization check. This means if a user is authorized to see a process, but not authorized to access all of that processes KPI reports, the processes page breaks.
Instead, the KPI report evaluation should not perform a report authorization check.
Steps to reproduce:
Given: Both userA and userB have access to processA.
- Log in as userA and create a private KPI report for processA
- Log in as userB and go to the processes page.
Actual result:
The process overview retrieval will throw a ForbiddenException, leading to the page displaying an "You are not authorized to perform the requested action" error message and failing to load the process overview.
Expected result:
The process overview page should load without errors and display the KPI report result that userA created.