KPI report evaluation in process overview retrieval leading to ForbiddenExceptions

XMLWordPrintable

    • Type: Bug Report
    • Resolution: Fixed
    • Priority: L3 - Default
    • 3.9.0, 3.9.0-preview-1
    • Affects Version/s: 3.9.0-alpha2
    • Component/s: backend
    • None
    • Not defined

      Brief summary of the bug. What is it ? Where is it ?

      Context:

      The KPI report retrieval retrieves all reports of a given process regardless of authorization, yet the KPI report evaluation uses an evaluation method that performs an authorization check. This means if a user is authorized to see a process, but not authorized to access all of that processes KPI reports, the processes page breaks.

      Instead, the KPI report evaluation should not perform a report authorization check.

      Steps to reproduce:

      Given: Both userA and userB have access to processA.

      1. Log in as userA and create a private KPI report for processA
      2. Log in as userB and go to the processes page.

      Actual result:

      The process overview retrieval will throw a ForbiddenException, leading to the page displaying an "You are not authorized to perform the requested action" error message and failing to load the process overview.

      Expected result:

      The process overview page should load without errors and display the KPI report result that userA created.

        1. screenshot-1.png
          screenshot-1.png
          18 kB

            Assignee:
            Unassigned
            Reporter:
            Helene Waechtler
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: