KPI report evaluation in process overview retrieval leading to ForbiddenExceptions

XMLWordPrintable

    • Type: Bug Report
    • Resolution: Fixed
    • Priority: L3 - Default
    • 3.9.0, 3.9.0-preview-1
    • Affects Version/s: 3.9.0-alpha2
    • Component/s: backend
    • None
    • Not defined

      Brief summary of the bug. What is it ? Where is it ?

      Context:

      The KPI report retrieval retrieves all reports of a given process regardless of authorization, yet the KPI report evaluation uses an evaluation method that performs an authorization check. This means if a user is authorized to see a process, but not authorized to access all of that processes KPI reports, the processes page breaks.

      Instead, the KPI report evaluation should not perform a report authorization check.

      Steps to reproduce:

      Given: Both userA and userB have access to processA.

      1. Log in as userA and create a private KPI report for processA
      2. Log in as userB and go to the processes page.

      Actual result:

      The process overview retrieval will throw a ForbiddenException, leading to the page displaying an "You are not authorized to perform the requested action" error message and failing to load the process overview.

      Expected result:

      The process overview page should load without errors and display the KPI report result that userA created.

        This is the controller panel for Smart Panels app

          1. screenshot-1.png
            18 kB
            Helene Waechtler

              Assignee:
              Unassigned
              Reporter:
              Helene Waechtler
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: