Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-9888

Hard-coded authorization checks in some queries

    Details

    • Type: Bug Report
    • Status: Open
    • Priority: L3 - Default
    • Resolution: Unresolved
    • Affects Version/s: 7.11.0-alpha3, 7.12.0-alpha1, 7.12.0-alpha2, 7.12.0-alpha3, 7.12.0-alpha4
    • Fix Version/s: 7.12.0
    • Component/s: engine
    • Labels:
      None

      Description

      Given scenario:
      1. Process Instance contains variables (Process instance variable scope)
      2. A user is granted a READ_VARIABLES permission for all tasks.

      Expected:
      The user tries to fetch the variables for this process instance, they do not see the variables.

      Currently:
      The variables are retrieved. Test case [1]

      Observations:
      When we build the query, the variable table is left joined to the authorization table like this:

      ...
      LEFT JOIN (
      SELECT A.*
      FROM ACT_RU_AUTHORIZATION A
      WHERE A.TYPE_ < 2
          AND (
              A.USER_ID_ IN (
                  'test'
                  ,'*'
                  )
              )
          AND (
              (
                  A.RESOURCE_TYPE_ = 6
                  AND BITAND(A.PERMS_, 2097152) = 2097152
                  OR A.RESOURCE_TYPE_ = 7
                  AND BITAND(A.PERMS_, 64) = 64
                  )
              )
      ) AUTH ON (
          AUTH.RESOURCE_ID_ IN (
              RES.PROC_INST_ID_
              ,PROC_EXECUTION.ID_
              ,PROCDEF.KEY_
              ,RES.TASK_ID_
              ,'*'
              )
          )
      ...
      

      Problems:

      • the AUTH.RESOURCE_ID_ IN part is hardcoded [2]
      • the different resource types are not coupled to the specific id to which they are joined. In other words: the join must be based on resource_id in and resource type permissions.

      Concerns:
      This is not the only place where this situation exists:

      [1]: https://github.com/camunda/camunda-bpm-platform/blob/1b2d4b9087d07788bc75736d0470ac1ee5ba1cca/engine/src/test/java/org/camunda/bpm/engine/test/api/authorization/VariableInstanceAuthorizationTest.java#L171-L183
      [2]: https://github.com/camunda/camunda-bpm-platform/blob/e0fa270bd8ad1d5e61582af704501129016078af/engine/src/main/resources/org/camunda/bpm/engine/impl/mapping/entity/VariableInstance.xml#L318-L325

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            yana.vasileva Yana Vasileva
            Reporter:
            yana.vasileva Yana Vasileva
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:

              Development