Bug 1044006

Summary: As a user with just the role "user" I am able to abort a process instance of another user
Product: [Retired] JBoss BPMS Platform 6 Reporter: Ivo Bek <ibek>
Component: Business CentralAssignee: Marco Rietveld <mrietvel>
Status: CLOSED EOL QA Contact: Ivo Bek <ibek>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0.0CC: kverlaen
Target Milestone: ---   
Target Release: 6.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-27 19:37:27 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ivo Bek 2013-12-17 15:29:18 UTC 
Description of problem:

I don't think that every role should have the possibility to abort any running process instance of another owner. I would leave this just for "admin", "analyst", and maybe "developer" roles according to this document https://bugzilla.redhat.com/attachment.cgi?id=795734 For "user" role I would forbid it.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create a user "user1" with role "admin".
2. Create a second user "user2" with role "user".
3. Log in to Business central as the user "user1".
4. As the user "user1" start any process definition with a human task just to be able to abort the process instance.
5. Log out and log in as the user "user2".
6. As the user "user2" abort the process instance the user "user1" started before.

Actual results:


Expected results:


Additional info:
Comment 1 Kris Verlaenen 2013-12-17 16:29:59 UTC 
There is currently no user-specific access control on who is allowed to abort a process instance.  Will have to defer this.
Comment 2 Marek Baluch 2013-12-17 16:51:04 UTC 
Lowering to medium as this looks to be an enhancement
Comment 3 PnT Account Manager 2017-12-07 23:34:50 UTC 
Employee 'msalatin' has left the company.