Uploaded image for project: 'JBoss BRMS Platform'
  1. JBoss BRMS Platform
  2. RHBRMS-2300

User with no privileges for repository can view and modify assets in that repository

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 6.3.0
    • 6.0.3
    • Business Central
    • None

      Description of problem:
      I have a repository with access restricted to certain roles. A user, who has none of these roles, has no access to this repository. However, the user can search for assets including assets in this repository and then can view them and even modify them.

      Version-Release number of selected component (if applicable):
      JBoss BRMS 6.0.3 (but the same problem applies also to Drools 6.2)

      How reproducible:
      See steps below.

      Steps to Reproduce:
      1. Use kie-config-cli to create repository repository1 and grant access to this repository to role role1. Use list-repo command to verify, that the setup is as follows:

      list-repo
      Result:
      Currently available repositories:
      Repository repository1
      scheme: git
      uri: git://repository1
      environment:

      {username=, scheme=git, security:roles=[role1], password=****}

      roles: [role1]

      2. Create user analyst (e.g. using add-user script in JBoss EAP) and grant him role analyst.
      3. Log in to business central as some administrator and create a project with some assets in the repository1 repository.
      4. Log out from business central and log in as analyst.
      5. When you click Authoring -> Project authoring, the user cannot access the repository1 repository. This is OK.
      6. Now click Find and in the search form specify some date in the past as Last modified after.
      7. Click Search.
      8. All the assets of the repository1 repository are shown, you can view them and modify them. This is incorrect, because the user analyst should have no access to the repository1 repository.

      Actual results:
      User can access assets in a repository, which he has no privileges for.

      Expected results:
      Access to the assets in that repository should be denied.

      Additional info:
      The same problem applies to the latest version of Drools (i.e. Drools 6.2) as well.

              manstis@redhat.com Michael Anstis
              pavzem Pavel Zeman (Inactive)
              Archiver:
              rhn-support-ceverson Clark Everson
              Pavel Kralik Pavel Kralik (Inactive)
              Pavel Kralik Pavel Kralik (Inactive)
              Kris Verlaenen, Lukáš Petrovický (Inactive), Michael Anstis, Pavel Kralik (Inactive), Radovan Synek (Inactive), Rajesh Rajasekaran, Toni Rikkola

                Created:
                Updated:
                Resolved:
                Archived: