Created attachment 1036223 [details] remote REST APi sample Description of problem: Any authenticated user can see tasks which doesn't own vua remote REST API For instance, in my test case, user task is created with group "admin". If user authenticated for remote REST API as user "jbpmuser" who has "admin" role, i.e. restSessionFactory = new RemoteRestRuntimeEngineFactory( "com.samplerj01:1.0", new URL( "http://localhost:8080/business-central/"), "bpmsuser", "bpmuser"); all of the following method returns expected task list. getTasksOwned("bpmsuser","en-UK") getTasksAssignedAsPotentialOwner("bpmsuser", "en-UK"); getTasksAssignedAsPotentialOwnerByStatus("bpmsuser",status, "en-UK") But, user authenticated for remote REST API as user "guest" who doesn't have "admin" role, i.e. restSessionFactory = new RemoteRestRuntimeEngineFactory( "com.samplerj01:1.0", new URL( "http://localhost:8080/business-central/"), "guest", "quest"); Authentication succeeded and both of getTasksAssignedAsPotentialOwner() and getTasksAssignedAsPotentialOwnerByStatus() returns no task (as expected) but getTasksOwned() for another user returns list of tasks. Version-Release number of selected component (if applicable): BPM Suite 6.1.0 How reproducible: Deploy a Process including user task and then search tasks using Rest API Steps to Reproduce: 1. create 2 users, one is user(e.g. bpmsuser) who has admin role and the other one(e.g. guest) does not have admin role 2. on Business-Central, create business process including user task which is assigned to group(e.g. admin) and deploy it 3. login Business Central as admin user(bpmsuser) and then start some instances and claim and complete some of user tasks. 4. run REST API which authenticate as non-admin user to get list of tasks Actual results: getTasksOwned() returns list of tasks even if user doesn't own the tasks and is not member of group which is assigned to user task. Expected results: no the other user's tasks get returned if user doesn't have appropriate role Additional info: This may duplicate of bug 1227897.
Fixed (see next comment for explanation). Commits: 6.2.x: https://github.com/droolsjbpm/droolsjbpm-integration/commit/08a3c05a master: https://github.com/droolsjbpm/droolsjbpm-integration/commit/728a4536
What I've done is to add checks on both the client side so that GetTask* commands that use a different user id than the authenticated user, are rejected. If a different user id than the authenticated user is used, an exception is now thrown. **NOTE**: This may cause problems for users who are currently (ab)using this functionality! Users who are used to this "feature" (using user A to authenticate the REST or JMS request and requesting tasks for user B) will now have to modify their systems.
I found a small bug related to this issue/fix and have also pushed a commit for this: 6.2.x: https://github.com/droolsjbpm/droolsjbpm-integration/commit/315a0bcc master: https://github.com/droolsjbpm/droolsjbpm-integration/commit/37c28f6a This has been pushed to 6.2.x because the patch will be rebuilt due to another issue.
Because including this change in a patch to product 6.1.x would be disruptive to existing users, I've reverted the community 6.2.x commits. 6.2.x revert commits: https://github.com/droolsjbpm/droolsjbpm-integration/commit/b5a14ab4
Since the customer is not asking for a fix right now and this has a possibly larger impact on customers (as it might prevent them from doing something they were doing in the past), I suggest we don't address this in a patch update but in the next GA release instead.