Uploaded image for project: 'JBoss BPMS Platform'
  1. JBoss BPMS Platform
  2. RHBPMS-4576

[GSS](6.4.z) A user can display tasks for which he is not PotOwner or BussinesAdm in BPM Suite 6.4

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 6.4.2
    • 6.4.0
    • Business Central
    • None
    • CR1
    • Hide

      1) create user bpmUser1 (roles user,group1)
      2) create user bpmUser2 (roles user,group2)
      3) create a business process with 2 human tasks. The first human task assigned to group1, the second human task assigend to group2.
      4) Start the process
      5) Login to Business Central as user bpmUser1. You will see a task.
      6)Write down the taskId.
      7) Login to Business Central as user bmpUser2. You will see no tasks yet.
      8) Access the taskform of the task directly using the following url and replace the taskId with the taskId you have written down:
      http://localhost:8080/business-central/kie-wb.jsp?perspective=FormDisplayPerspective&standalone=true&opener=localhost:8080&taskId=6

      You should see the same as the attachment (content.png).

      Show
      1) create user bpmUser1 (roles user,group1) 2) create user bpmUser2 (roles user,group2) 3) create a business process with 2 human tasks. The first human task assigned to group1, the second human task assigend to group2. 4) Start the process 5) Login to Business Central as user bpmUser1. You will see a task. 6)Write down the taskId. 7) Login to Business Central as user bmpUser2. You will see no tasks yet. 8) Access the taskform of the task directly using the following url and replace the taskId with the taskId you have written down: http://localhost:8080/business-central/kie-wb.jsp?perspective=FormDisplayPerspective&standalone=true&opener=localhost:8080&taskId=6 You should see the same as the attachment (content.png).

    Description

      It has been identified a critical security issue in business-central. It is possible to access data from a specific HT by using a direct URL and an user who is not a potential owner or business administrator:

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. RHPAM-275 A user can display tasks for which he is not PotOwner or BussinesAdm in BPM Suite 6.4

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              rh-ee-pefernan Pere Fernandez Perez
              rhn-support-ajuricic Amana Juricic
              Juraj Soltes Juraj Soltes (Inactive)
              Juraj Soltes Juraj Soltes (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: