Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workflow result list security permissions vulnerability #5709

Closed
2 tasks done
kevinkrugerCCV opened this issue Jan 8, 2024 · 0 comments
Closed
2 tasks done

Workflow result list security permissions vulnerability #5709

kevinkrugerCCV opened this issue Jan 8, 2024 · 0 comments
Labels
Fixed in v16.3 Status: Confirmed It's clear what the subject of the issue is about, and what the resolution should be. Type: Bug Confirmed bugs or reports that are very likely to be bugs.

Comments

@kevinkrugerCCV
Copy link

Description

An internal page in rock contains a "workflow list" block and dynamically loads the workflow based on the workflowTypeId in the page parameters. If permissions are set on a specific workflow and a user that should not see the workflow submissions visit this page the screen is mostly blank with just a collapsed filter visible.
If the user expands the filter box (no need to filter or adjust anything) and selects "Apply Filter" the workflow submissions and content becomes available.
Image 1-8-24 at 12 23 PM

Actual Behavior

After setting permissions on a workflow that deny all access (view,edit,administrate,view list) to anyone with the "RSR - Staff Workers" security role, log in with a test user that has the staff permissions and navigate to the workflow view list page. (happens to be page/288 in rock demo site)-
Initially the user is shown this screen:
Image 1-8-24 at 12 26 PM

If you open the filter options selections and select "Apply Filter" the user will see the workflow submissions.
image

Expected Behavior

The expected behavior would be to respect the security permissions after a post back or any other event that reloads the page so sensitive information can not be shown unintentionally.

Steps to Reproduce

  1. In the rocksolidchurchdemo site if a test workflow is not already available, you can go to "https://rock.rocksolidchurchdemo.com/admin/general/workflows?workflowTypeId=17&ExpandedIds=C162%2CC144" to create a bogus test workflow.
  2. Set workflow permissions on for admin,staff, and all users.
    image
    image
    image
    image
  3. add security permissions to a test user and a database login to impersonate or see results. (used test person and login:"testPerson" password:"test123") https://rock.rocksolidchurchdemo.com/person/56/security
  4. Visit the workflow list page with admin user to see workflow results. https://rock.rocksolidchurchdemo.com/page/288?WorkflowTypeId=17
  5. Login as the test user or someone without the administrator permissions and visit the workflow list page to see behavior described. https://rock.rocksolidchurchdemo.com/page/288?WorkflowTypeId=17

Issue Confirmation

  • Perform a search on the Github Issues to see if your bug or enhancement is already reported.
  • Try to reproduce the problem on a fresh install or on the demo site.

Rock Version

Tested- 14.2 & 15.3

Client Culture Setting

en-US
@sparkdevnetwork-service sparkdevnetwork-service added Status: Confirmed It's clear what the subject of the issue is about, and what the resolution should be. Type: Bug Confirmed bugs or reports that are very likely to be bugs. labels Jan 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Fixed in v16.3 Status: Confirmed It's clear what the subject of the issue is about, and what the resolution should be. Type: Bug Confirmed bugs or reports that are very likely to be bugs.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sparkdevnetwork-service @kevinkrugerCCV @Kwame-Agyei