Bug 1229171

Summary: [GSS] (6.1.z) Any authenticated user can see tasks which doesn't own by remote REST api
Product: [Retired] JBoss BPMS Platform 6 Reporter: Hiroko Miura <hmiura>
Component: Business CentralAssignee: Shelly McGowan <smcgowan>
Status: CLOSED EOL QA Contact: Lukáš Petrovický <lpetrovi>
Severity: high Docs Contact:
Priority: high    
Version: 6.1.0CC: alazarot, ibek, kverlaen, rrajasek
Target Milestone: CR1   
Target Release: 6.1.0   
Hardware: Unspecified   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1230947 (view as bug list) Environment:
Last Closed: 2020-03-27 20:10:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1230947    
Attachments:
Description Flags
remote REST APi sample none

Description Hiroko Miura 2015-06-08 08:40:04 UTC 
Created attachment 1036223 [details]
remote REST APi sample

Description of problem:
Any authenticated user can see tasks which doesn't own vua remote REST API

For instance, in my test case, user task is created with group "admin".

If user authenticated for remote REST API as user "jbpmuser" who has "admin" role,
i.e.
    restSessionFactory = new RemoteRestRuntimeEngineFactory(
         "com.samplerj01:1.0", new URL(
              "http://localhost:8080/business-central/"),
               "bpmsuser", "bpmuser");

all of the following method returns expected task list.

     getTasksOwned("bpmsuser","en-UK")
     getTasksAssignedAsPotentialOwner("bpmsuser", "en-UK");
     getTasksAssignedAsPotentialOwnerByStatus("bpmsuser",status, "en-UK")

But, user authenticated for remote REST API  as user "guest" who doesn't have "admin" role,
i.e.
     restSessionFactory = new RemoteRestRuntimeEngineFactory(
          "com.samplerj01:1.0", new URL(
                "http://localhost:8080/business-central/"),
                "guest", "quest");

Authentication succeeded and both of getTasksAssignedAsPotentialOwner() and getTasksAssignedAsPotentialOwnerByStatus() returns no task (as expected)
but getTasksOwned() for another user returns list of tasks.

Version-Release number of selected component (if applicable):
BPM Suite 6.1.0


How reproducible:
Deploy a Process including user task and then search tasks using Rest API


Steps to Reproduce:
1. create 2 users, one is user(e.g. bpmsuser) who has admin role and the other one(e.g. guest) does not have admin role
2. on Business-Central, create business process including user task which is assigned to group(e.g. admin) and deploy it
3. login Business Central as admin user(bpmsuser) and then start some instances and claim and complete some of user tasks.
4. run REST API which authenticate as non-admin user to get list of tasks

Actual results:
getTasksOwned() returns list of tasks even if user doesn't own the tasks and is not member of group which is assigned to user task.


Expected results:
no the other user's tasks get returned if user doesn't have appropriate role

Additional info:
This may duplicate of bug 1227897.
Comment 7 Marco Rietveld 2015-06-25 13:06:03 UTC 
Fixed (see next comment for explanation). Commits: 

6.2.x: 
https://github.com/droolsjbpm/droolsjbpm-integration/commit/08a3c05a

master: 
https://github.com/droolsjbpm/droolsjbpm-integration/commit/728a4536
Comment 8 Marco Rietveld 2015-06-25 13:08:52 UTC 
What I've done is to add checks on both the client side so that GetTask* commands that use a different user id than the authenticated user, are rejected. 

If a different user id than the authenticated user is used, an exception is now thrown. 

**NOTE**: This may cause problems for users who are currently (ab)using this functionality! Users who are used to this "feature" (using user A to authenticate the REST or JMS request and requesting tasks for user B) will now have to modify their systems.
Comment 9 Marco Rietveld 2015-07-08 11:08:44 UTC 
I found a small bug related to this issue/fix and have also pushed a commit for this: 

6.2.x:
https://github.com/droolsjbpm/droolsjbpm-integration/commit/315a0bcc

master:
https://github.com/droolsjbpm/droolsjbpm-integration/commit/37c28f6a

This has been pushed to 6.2.x because the patch will be rebuilt due to another issue.
Comment 14 Marco Rietveld 2015-08-11 08:02:10 UTC 
Because including this change in a patch to product 6.1.x would be disruptive to existing users, I've reverted the community 6.2.x commits. 

6.2.x revert commits: 
https://github.com/droolsjbpm/droolsjbpm-integration/commit/b5a14ab4
Comment 15 Kris Verlaenen 2015-08-11 13:31:43 UTC 
Since the customer is not asking for a fix right now and this has a possibly larger impact on customers (as it might prevent them from doing something they were doing in the past), I suggest we don't address this in a patch update but in the next GA release instead.