-
Task
-
Resolution: Unresolved
-
L3 - Default
-
None
-
None
-
None
-
Not defined
Brief summary of the issue. What is it ? Where is it ?
The process overview page lists KPIs reports even if the current user is not authorised to access them. Sample cases are e.g.:
- a private report of another user (created on home and not within a collection)
- a report from a collection the current user has no access to
After clicking the link Optimize shows "this link is not valid".
Steps to reproduce:
- Login as demo:demo
- create a private report (outside of a collection)
- make it a kpi report of a process
- Logout
- Login as john:john
- Open the process overview page
Actual result:
- the private report of demo:demo is listed as kpi and a link is present, clicking the link leads to an error page indicating that "this link is not valid".
Actions:
- At the moment this behaviour could be confusing as the problem is not that the link is not valid but that the user doesnt have authorizations for that report.. We should decide on whether the current solution is alright and if not.
Potential Solutions:
- We accept the current behaviour
- We convert the "this link is not valid" message to a more generic message which covers the case of not having authorisation for a report as well as the link being actually invalid
- We check on the BE whether a user has authorizations to every single kpi and return it to the frontend. Note that this operation could be really computationally expensive and would slow down the endpoint
- We could find another alternative as well
This ticket was migrated to github: https://github.com/camunda/camunda-optimize/issues/10307. Please use this link for any future references and continue any discussion there.