Uploaded image for project: 'JBoss BPMS Platform'
  1. JBoss BPMS Platform
  2. RHBPMS-4576

[GSS](6.4.z) A user can display tasks for which he is not PotOwner or BussinesAdm in BPM Suite 6.4

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 6.4.2
    • 6.4.0
    • Business Central
    • None
    • CR1
    • Hide

      1) create user bpmUser1 (roles user,group1)
      2) create user bpmUser2 (roles user,group2)
      3) create a business process with 2 human tasks. The first human task assigned to group1, the second human task assigend to group2.
      4) Start the process
      5) Login to Business Central as user bpmUser1. You will see a task.
      6)Write down the taskId.
      7) Login to Business Central as user bmpUser2. You will see no tasks yet.
      8) Access the taskform of the task directly using the following url and replace the taskId with the taskId you have written down:
      http://localhost:8080/business-central/kie-wb.jsp?perspective=FormDisplayPerspective&standalone=true&opener=localhost:8080&taskId=6

      You should see the same as the attachment (content.png).

      Show
      1) create user bpmUser1 (roles user,group1) 2) create user bpmUser2 (roles user,group2) 3) create a business process with 2 human tasks. The first human task assigned to group1, the second human task assigend to group2. 4) Start the process 5) Login to Business Central as user bpmUser1. You will see a task. 6)Write down the taskId. 7) Login to Business Central as user bmpUser2. You will see no tasks yet. 8) Access the taskform of the task directly using the following url and replace the taskId with the taskId you have written down: http://localhost:8080/business-central/kie-wb.jsp?perspective=FormDisplayPerspective&standalone=true&opener=localhost:8080&taskId=6 You should see the same as the attachment (content.png).

      It has been identified a critical security issue in business-central. It is possible to access data from a specific HT by using a direct URL and an user who is not a potential owner or business administrator:

        1. content.png
          content.png
          12 kB

            rh-ee-pefernan Pere Fernandez Perez
            rhn-support-ajuricic Amana Juricic
            Juraj Soltes Juraj Soltes (Inactive)
            Juraj Soltes Juraj Soltes (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: