Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-9623

Handle regressions in Authorization related to newly introduced Permissions

    Details

    • Type: Task
    • Status: Closed
    • Priority: L3 - Default
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 7.11.0, 7.11.0-alpha1
    • Component/s: engine
    • Labels:
      None

      Description

      The duplicated values of the Permissions lead to problems when checking the authorizations. For example Permissions.CREATE_BATCH_DELETE_DECISION_INSTANCES and Permissions.UPDATE_INSTANCE values are duplicated.

      Please check the following test case:

        public void testAuthorizations() {
          Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
          authorization.setUserId(userId);
          authorization.addPermission(BatchPermissions.CREATE_BATCH_DELETE_DECISION_INSTANCES);
          authorization.setResource(Resources.BATCH);
          authorization.setResourceId(ANY);
          authorizationService.saveAuthorization(authorization);
      
          processEngineConfiguration.setAuthorizationEnabled(true);
          assertEquals(false, authorizationService.isUserAuthorized(userId, Arrays.asList(groupId), Permissions.UPDATE_INSTANCE, Resources.BATCH));
          assertEquals(true, authorizationService.isUserAuthorized(userId, Arrays.asList(groupId), BatchPermissions.CREATE_BATCH_DELETE_DECISION_INSTANCES, Resources.BATCH));
          assertTrue(authorization.isPermissionRevoked(BatchPermissions.CREATE_BATCH_DELETE_DECISION_INSTANCES));
          assertFalse(authorization.isPermissionRevoked(Permissions.UPDATE_INSTANCE));
        }
      

      Investigate for all of the places where the duplication is problematic and fix accordingly.

      Rest API is affected as well: https://github.com/camunda/camunda-bpm-platform/blob/cf36405e281cf83860abadbe6c966fd8464519d6/engine-rest/engine-rest/src/main/java/org/camunda/bpm/engine/rest/AuthorizationRestService.java#L43
      Please have look at:
      https://github.com/camunda/camunda-bpm-platform/blob/cf36405e281cf83860abadbe6c966fd8464519d6/engine-rest/engine-rest/src/main/java/org/camunda/bpm/engine/rest/util/AuthorizationUtil.java#L37

        Issue Links

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              thorben.lindhauer Thorben Lindhauer
              Reporter:
              yana.vasileva Yana Vasileva
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development