Description of problem: I have a repository with access restricted to certain roles. A user, who has none of these roles, has no access to this repository. However, the user can search for assets including assets in this repository and then can view them and even modify them. Version-Release number of selected component (if applicable): JBoss BRMS 6.0.3 (but the same problem applies also to Drools 6.2) How reproducible: See steps below. Steps to Reproduce: 1. Use kie-config-cli to create repository repository1 and grant access to this repository to role role1. Use list-repo command to verify, that the setup is as follows: list-repo Result: Currently available repositories: Repository repository1 scheme: git uri: git://repository1 environment: {username=, scheme=git, security:roles=[role1], password=****} roles: [role1] 2. Create user analyst (e.g. using add-user script in JBoss EAP) and grant him role analyst. 3. Log in to business central as some administrator and create a project with some assets in the repository1 repository. 4. Log out from business central and log in as analyst. 5. When you click Authoring -> Project authoring, the user cannot access the repository1 repository. This is OK. 6. Now click Find and in the search form specify some date in the past as Last modified after. 7. Click Search. 8. All the assets of the repository1 repository are shown, you can view them and modify them. This is incorrect, because the user analyst should have no access to the repository1 repository. Actual results: User can access assets in a repository, which he has no privileges for. Expected results: Access to the assets in that repository should be denied. Additional info: The same problem applies to the latest version of Drools (i.e. Drools 6.2) as well.
Filtered Search Results by Repository(ies) to which the User has access.
Just to be sure - It was not explicitly mentioned in the bug, but the same problem applies also to organizational units. Are the search results filtered also by the organizational units, to which the user has access?
Tested with BRMS-6.1.0.ER6, unfortunately the fix does not help, see the attached screenshot - although the user cannot see the repository in Project Explorer, still is able to access some assets via search.
Created attachment 1003842 [details] screenshot
Tested on BRMS 6.2.0.ER3. Issue is still present in business central.
I tested with jboss-brms-6.2.0.ER4-deployable-eap6.x and it works fine! One thing that may be the cause of our discrepancies, is that after a role has been added to either an OU or Repository with kie-cli-config is that the Application Server needs stopping and re-starting. This is an issue and one best recorded against https://bugzilla.redhat.com/show_bug.cgi?id=1214245. This is what I did:- 1) Run Business Central 2) Login with a User that has the admin role 3) Create repositories Repo1 and Repo2 4) Create projects Project1 in Repo1 and Project2 in Repo2 5) Create DRL files in Project1 and Project2 6) Run kie-cli-config.sh 7) Add role1 to Repo1 and role2 to Repo2 8) Make sure to execute command push-changes 9) Run add-user.sh 10) Create User1 with role role1 and User2 with role2 11) **STOP EAP** 12) **RESTART EAP** 13) Login with User1, they can only see Repo1 in Project Explorer 14) Search for assets, only that in Repo1 is listed 15) Login with User2, they can only see Repo2 in Project Explorer 16) Search for assets, only that in Repo2 is listed
(In reply to Pavel Zeman from comment #7) > Just to be sure - It was not explicitly mentioned in the bug, but the same > problem applies also to organizational units. Are the search results > filtered also by the organizational units, to which the user has access? I tested when an OU has a security role, but the inner Repository does not and this remains an issue as User1 could "see" (and open) assets in the repository in the OU to which the user does not have permissions.
Hello Michael, it also works for me if I restart eap server and you have right, issue is still present for org units.
Created two DRL's on fresh installed BPMS 6.2.0.CR1 - drl1, drl2 as admin. Then used kie-config-cli with add-group-repo for repository1 to admin. Relogged to BC as analyst and searched both drl's ans changed them. Repository1 was disabled. When openned drl as admin it was changed.
Created two DRL's on fresh installed BPMS 6.2.0.CR2/EAP6.4 - drl1, drl2 as admin. Used kie-config-cli.sh and add-group-repo to add repository1 to admin. Logged in to BC as analyst and hit search and find both drl's changed them and saved. repository1 was disabled. When reopened DRL's as admin both were changed.
I have done a restart of the BPMS/EAP and still the same situation for repository/OU.
These are the steps I am following:- 1) Create new folder (to install Business Central) 2) cd into new folder 3) Unzip EAP 4) Unzip BxMS 5) Move BxMS files into EAP folder 6) ./standalone.sh 7) ./add-user.sh 8) Create user1, role admin 9) Create user2, role analyst 10) Login to Business Central as user1 11) Go to Administration Perspective 12) Create new Repository (r1) 13) Create new Repository (r2) 14) Go to Authoring Perspective 15) Create new Project (r1proj) in r1 16) Create new Project (r2proj) in r2 17) Create new DRL file (r1proj-drl) in r1proj; selecting "non-default" package 18) Create new DRL file (r2proj-drl) in r2proj; selecting "non-default" package 19) Search for "drl". r1proj-drl and r2proj-drl are returned 20) Logout 21) Run kie-cli-config.sh 22) Login as user1 23) add-group-repo; adding admin to r1 24) push-changes 25) exit 26) Login to Business Central as user1 27) Search for "drl". r1proj-drl and r2proj-drl are returned 28) Logout 29) Login to Business Central as user2 30) Search for "drl". Only r2proj-drl is returned.
Please detail the exact steps you are using that replicate the issue.
I tried https://bugzilla.redhat.com/show_bug.cgi?id=1192831#c34 and it worked for me. Reproducer: 1) Create new folder (to install Business Central) 2) cd into new folder 3) Unzip EAP 4) Unzip BxMS 5) Move BxMS files into EAP folder 6) ./standalone.sh 7) bin/add-user.sh -a -u 'user1' -p 'user123*' -ro 'admin' 8) bin/add-user.sh -a -u 'user2' -p 'user234*' -ro 'analyst' 9) Login to Business Central as user1 10) Go to Authoring Perspective 11) Select default: example / repository1 / project1 12) Create 5 DRL's with names drl1, drl2, drl3, drl4, drl5 each with various package: <default>, org, org.kie, org.kie.example, org.kie.example.project1 13) Search for "drl". drl1, drl2, drl3, drl4, drl5 are returned. 14) Login to Business Central as user2 15) Search for "drl". drl1, drl2, drl3, drl4, drl5 are returned. 16) Run kie-cli-config.sh 17) Login as user1 18) add-group-repo; adding admin to repository1 19) push-changes 20) exit 21) Login to Business Central as user2 22) Search for "drl". drl1, drl2, drl3, drl4, drl5 are returned.
Created attachment 1101843 [details] clonedrepo Hello Michael, I found similar problem that might be related to this issue: 1) Follow your first 9 steps 2) Go to administration perspective 3) Clone for example quickstarts repository https://github.com/jboss-developer/jboss-brms-repository.git into example org unit. (as user1) 4) Login as user2 5) Open quickstarts repo - bpms-project. Do not close browser window. 6) Run kie-cli-config.sh 7) Login as user1 8) add-group-repo (quickstart to admin role) 9) push-changes 10) exit 11) Logout user2 from browser. 12) Login as user2 in browser. 13) Go to Authoring Perspective. 14) Files of bpms project are visible and editable. See the attached screenshot.
BPMS 6.3.0.DR1