Workflow result list security permissions vulnerability #5709
Labels
Fixed in v16.3
Status: Confirmed
It's clear what the subject of the issue is about, and what the resolution should be.
Type: Bug
Confirmed bugs or reports that are very likely to be bugs.
Description
An internal page in rock contains a "workflow list" block and dynamically loads the workflow based on the workflowTypeId in the page parameters. If permissions are set on a specific workflow and a user that should not see the workflow submissions visit this page the screen is mostly blank with just a collapsed filter visible.
If the user expands the filter box (no need to filter or adjust anything) and selects "Apply Filter" the workflow submissions and content becomes available.
Actual Behavior
After setting permissions on a workflow that deny all access (view,edit,administrate,view list) to anyone with the "RSR - Staff Workers" security role, log in with a test user that has the staff permissions and navigate to the workflow view list page. (happens to be page/288 in rock demo site)-
Initially the user is shown this screen:
If you open the filter options selections and select "Apply Filter" the user will see the workflow submissions.
Expected Behavior
The expected behavior would be to respect the security permissions after a post back or any other event that reloads the page so sensitive information can not be shown unintentionally.
Steps to Reproduce
Issue Confirmation
Rock Version
Tested- 14.2 & 15.3
Client Culture Setting
en-US
The text was updated successfully, but these errors were encountered: