FOUR-14018: Unauthorized Users Can View Screens, Data Connectors, and Decision Tables

[estebangallego]

Issue & Reproduction Steps

Users without the appropriate permissions can see a list of screens, data connectors, and decision tables.

Steps to Reproduce:

1. Log in as an admin.
2. Create a user without permissions.
3. Log out and then log in with the newly created user.
4. Create a project.
5. Open the project and add some assets (Process, Screen, Scritp, DataConnector, Decision Table).
6. Attempt to edit or configure each asset.
7. From the breadcrumb, attempt to see a list of the assets
8. Click on the sidebar icons.

At this moment, we're able to see a list of Screens, DataConnector and Decision Tables

Solution

Modify the $allowedEndpoints array to explicitly include the specific endpoint corresponding to the current user's own assets. This will grant the user permission to modify their assets while continuing to restrict access to the system's other assets.

How to Test

Please follow the 'Steps to Reproduce' and verify that in steps 7 and 8, the user encounters an 'unauthorized' page, confirming that access is correctly restricted.

Related Tickets & Packages

• Ticket: FOUR-14018

ci:next

Code Review Checklist

• I have pulled this code locally and tested it on my instance, along with any associated packages.
• This code adheres to ProcessMaker Coding Guidelines.
• This code includes a unit test or an E2E test that tests its functionality, or is covered by an existing test.
• This solution fixes the bug reported in the original ticket.
• This solution does not alter the expected output of a component in a way that would break existing Processes.
• This solution does not implement any breaking changes that would invalidate documentation or cause existing Processes to fail.
• This solution has been tested with enterprise packages that rely on its functionality and does not introduce bugs in those packages.
• This code does not duplicate functionality that already exists in the framework or in ProcessMaker.
• This ticket conforms to the PRD associated with this part of ProcessMaker.

[agustinbusso]

The fix is correct, after click on the links in the breadcrumb for users without permissions, a unauthorized is showed. Users can view their own assets in a project

Screen.Recording.2024-02-08.at.11.25.33.mov

Screen.Recording.2024-02-08.at.11.31.20.mov

Another issue was discovered while reviewing. The ellipsis menu for the assets in a project does not show the edit and configure for a user without permissions applied like "Edit screen". After sync with @estebangallego this is going to be addressed in a separated ticket:

Screen.Recording.2024-02-08.at.11.34.51.mov

[agustinbusso]

Another issue detected is the icons in the left bar continue showing when the user does not have permissions. After sync with @estebangallego this issue is going to be addressed in another ticket.

Screen.Recording.2024-02-08.at.11.37.35.mov

[estebangallego]

Thank you @agustinbusso! A ticket FOUR-14092 has been created regarding this observation

[processmaker-sonarqube]

Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube