Description of problem: You can execute git clone via ssh even with the user which has role 'user' assigned. This directly contradicts with the Role definition in http://docs.jboss.org/jbpm/v6.0.1/userguide/wb.Workbench.html#wb.Roles ============ 9.4.2.4. Business user Daily user of the system to take actions on business tasks that are required for the processes to continue forward. Works primarily with the task lists. Does process management Handles tasks and dashboards ========= I can easily push changes to the business assets even if I am only user/manager. This seems like a security policy violation. Version-Release number of selected component (if applicable): bpm 6.0.2 How reproducible: always Steps to Reproduce: 1. Create user via ./add-user.sh , set role 'user' 2. git clone ssh://user@localhost:8001/repository1 Actual results: it is possible to perform git operation such as ssh clone, add, commit, push with only 'user' permission. Expected results: role 'user' shouldn't have the possibility to perform operations like git clone, push via ssh as it directly contradicts with the documented role definition.
Fix pushed to master and 6.2.x [kie-wb-common] 6.2.x http://github.com/droolsjbpm/kie-wb-common/commit/8a53e65e4 [kie-wb-common] master http://github.com/droolsjbpm/kie-wb-common/commit/47a5b0c4b (still open as there's an issue on UF that basically doesn't use the new @IOSecurityAuthz instace)
The UF bug is now fixed on 0.5.0-SNAPSHOT: https://github.com/uberfire/uberfire/commit/221158cf8ed0654267ef3258b7f106800fa55be4
I cannot verify this issue for 6.1.0 ER3. It seems that no body can clone a repository from business central via ssh. It blocks the verification of the security policy. I was able to connect via ssh in 6.1.0 ER2 without problem. For ER3, I have got message which is described by BZ1175682.
Verified on 6.1.0.ER6 Admin, analyst or developer roles can clone repository using SSH. User and manager roles cannot clone repository using SSH.