Uploaded image for project: 'JBoss BPMS Platform'
  1. JBoss BPMS Platform
  2. RHBPMS-4576

[GSS](6.4.z) A user can display tasks for which he is not PotOwner or BussinesAdm in BPM Suite 6.4

    Details

    • Fix Build:
      CR1
    • Steps to Reproduce:
      Hide

      1) create user bpmUser1 (roles user,group1)
      2) create user bpmUser2 (roles user,group2)
      3) create a business process with 2 human tasks. The first human task assigned to group1, the second human task assigend to group2.
      4) Start the process
      5) Login to Business Central as user bpmUser1. You will see a task.
      6)Write down the taskId.
      7) Login to Business Central as user bmpUser2. You will see no tasks yet.
      8) Access the taskform of the task directly using the following url and replace the taskId with the taskId you have written down:
      http://localhost:8080/business-central/kie-wb.jsp?perspective=FormDisplayPerspective&standalone=true&opener=localhost:8080&taskId=6

      You should see the same as the attachment (content.png).

      Show
      1) create user bpmUser1 (roles user,group1) 2) create user bpmUser2 (roles user,group2) 3) create a business process with 2 human tasks. The first human task assigned to group1, the second human task assigend to group2. 4) Start the process 5) Login to Business Central as user bpmUser1. You will see a task. 6)Write down the taskId. 7) Login to Business Central as user bmpUser2. You will see no tasks yet. 8) Access the taskform of the task directly using the following url and replace the taskId with the taskId you have written down: http://localhost:8080/business-central/kie-wb.jsp?perspective=FormDisplayPerspective&standalone=true&opener=localhost:8080&taskId=6 You should see the same as the attachment (content.png).

      Description

      It has been identified a critical security issue in business-central. It is possible to access data from a specific HT by using a direct URL and an user who is not a potential owner or business administrator:

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  pere.fernandez Pere Fernandez Perez
                  Reporter:
                  asamara Amana Juricic
                  Tester:
                  Juraj Soltes
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: