Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FOUR-13028 | The Editing of Any Process Can Be Accessed With Any User Who Has Projects Permissions Activated #6037

Merged
merged 3 commits into from
Jan 17, 2024
Merged

FOUR-13028 | The Editing of Any Process Can Be Accessed With Any User Who Has Projects Permissions Activated #6037

merged 3 commits into from
Jan 17, 2024

Conversation

mcraeteisha
Copy link
Contributor

@mcraeteisha mcraeteisha commented Jan 15, 2024
edited by jira bot
Loading

Issue

Ticket: FOUR-13028

This pull request addresses an issue with Project Permissions that allowed unauthorized access and modification of processes, scripts, and screens.

Solution

Updated AuthServiceProvider's boot function. Queried the database for projects the user is a member or owner of and retrieved associated project assets. Adjusted $allowedEndpoints for Processes, Scripts, and Screens to limit user access to endpoints for assets associated with their projects.

How to Test

  1. Go to branch observation/FOUR-13028 in processmaker.
  2. Have Processes, Screens, and Scripts created in your environment.
  3. Create a User with only Projects permissions.
  4. Login with that User. Have a Project created with a Process, Screen, and Script.
  5. Change the URL to access process editing: /modeler/{processId}.
  6. Edit and Publish the process.
    • Users should only be able to access and edit processes that are associated with their projects.
    • If you visit the Modeler for a process associated with the user's project, you should be able to see and edit the process. If you visit the Modeler with a process that is not part of one of the user's projects, you should see a 'Not Authorized' page.
  7. Repeat these steps with the Screen and Script editors.

ci:next

Code Review Checklist

  • I have pulled this code locally and tested it on my instance, along with any associated packages.
  • This code adheres to ProcessMaker Coding Guidelines.
  • This code includes a unit test or an E2E test that tests its functionality, or is covered by an existing test.
  • This solution fixes the bug reported in the original ticket.
  • This solution does not alter the expected output of a component in a way that would break existing Processes.
  • This solution does not implement any breaking changes that would invalidate documentation or cause existing Processes to fail.
  • This solution has been tested with enterprise packages that rely on its functionality and does not introduce bugs in those packages.
  • This code does not duplicate functionality that already exists in the framework or in ProcessMaker.
  • This ticket conforms to the PRD associated with this part of ProcessMaker.

@processmaker-sonarqube ProcessMaker SonarQube
Copy link

Quality Gate passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
0.0% 0.0% Coverage on New Code
0.0% 0.0% Duplication on New Code

See analysis details on SonarQube

eiresendez
eiresendez approved these changes Jan 16, 2024
View reviewed changes
Copy link
Contributor

@eiresendez eiresendez left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix correctly addresses the issue outlined in the ticket.
Added some optimizations to DB queries as they are operations executed on each application request.

@ryancooley ryancooley merged commit 45aef5a into next Jan 17, 2024
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eiresendez eiresendez eiresendez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mcraeteisha @SarahAlhumud @eiresendez @ryancooley