Uploaded image for project: 'Camunda Optimize'
  1. Camunda Optimize
  2. OPT-7502

Validate user ID as owner when receiving update

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Unresolved
    • Icon: L3 - Default L3 - Default
    • None
    • None
    • backend
    • None
    • Not defined

      Currently, Optimize accepts a request from Modeler to learn about the owner of a given process. Optimize saves this information, and then later binding the owner to the real process once it is imported. This two-phase approach is to facilitate the scenario where Optimize receives the request before knowing about the process.

      When binding the owner to the process in the second phase, Optimize validates that the owner is a real user ID against the accounts service. It uses a service token that it can find from the Spring framework to do this. This is not a sufficient method, as the token most likely just belongs to the most recent user, and not necessarily someone who has or will always have permission to fetch the owner.

      As an alternative, we should consider checking the validity of the owner ID provided by modeler when actually receiving the request. If it is not a valid owner, Optimize should not save that pending entry in ES.

        This is the controller panel for Smart Panels app

              Unassigned Unassigned
              joshua.windels Joshua Windels
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: