Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 7.0.0.GA
Affects Version/s: 6.x.x
Component/s: Business Central
Labels:
- AppFormer
- AppFormer-Prioritized

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Fix Build:
ER5
Target Release:

7.0.0.GA
Steps to Reproduce:

Hide

1) create user bpmUser1 (roles user,group1)
2) create user bpmUser2 (roles user,group2)
3) create a business process with 2 human tasks. The first human task assigned to group1, the second human task assigend to group2.
4) Start the process
5) Login to Business Central as user bpmUser1. You will see a task.
6)Write down the taskId.
7) Login to Business Central as user bmpUser2. You will see no tasks yet.
8) Access the taskform of the task directly using the following url and replace the taskId with the taskId you have written down:
http://localhost:8080/business-central/kie-wb.jsp?perspective=FormDisplayPerspective&standalone=true&opener=localhost:8080&taskId=6

You should see the same as the attachment (content.png).

Show
1) create user bpmUser1 (roles user,group1) 2) create user bpmUser2 (roles user,group2) 3) create a business process with 2 human tasks. The first human task assigned to group1, the second human task assigend to group2. 4) Start the process 5) Login to Business Central as user bpmUser1. You will see a task. 6)Write down the taskId. 7) Login to Business Central as user bmpUser2. You will see no tasks yet. 8) Access the taskform of the task directly using the following url and replace the taskId with the taskId you have written down: http://localhost:8080/business-central/kie-wb.jsp?perspective=FormDisplayPerspective&standalone=true&opener=localhost:8080&taskId=6 You should see the same as the attachment (content.png).

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

It has been identified a critical security issue in business-central. It is possible to access data from a specific HT by using a direct URL and an user who is not a potential owner or business administrator:

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

content.png
2017/01/12 1:19 PM
12 kB
Amana Juricic
taskFormUrl.png
2018/05/06 8:26 AM
51 kB
Bojan Sremac

is cloned by

RHBPMS-4576 [GSS](6.4.z) A user can display tasks for which he is not PotOwner or BussinesAdm in BPM Suite 6.4

Verified

JBPM-7247 A user can display tasks for which he is not PotOwner or BussinesAdmin (Code cleanup)

Resolved

Assignee:: Pere Fernandez Perez

Reporter:: Amana Juricic

Tester:: Bojan Sremac (Inactive)

QA Contact:: Bojan Sremac (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2017/01/12 1:19 PM

Updated:: 2024/02/12 9:41 AM

Resolved:: 2018/04/27 2:38 AM

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates