Details
-
Task
-
Resolution: Unresolved
-
L3 - Default
-
None
-
None
-
None
-
Not defined
Description
Currently, Optimize accepts a request from Modeler to learn about the owner of a given process. Optimize saves this information, and then later binding the owner to the real process once it is imported. This two-phase approach is to facilitate the scenario where Optimize receives the request before knowing about the process.
When binding the owner to the process in the second phase, Optimize validates that the owner is a real user ID against the accounts service. It uses a service token that it can find from the Spring framework to do this. This is not a sufficient method, as the token most likely just belongs to the most recent user, and not necessarily someone who has or will always have permission to fetch the owner.
As an alternative, we should consider checking the validity of the owner ID provided by modeler when actually receiving the request. If it is not a valid owner, Optimize should not save that pending entry in ES.