All users can do all tasks? Security bug?

Submitted by ruben_zornoza on Tue, 07/08/2014 - 17:03
1
0
-1

Hello everyone,

I'm trying some email notifications to let user access easily to his/her new available tasks directly so i check the URL of a form and I make a simple connector that send this mail: "http://localhost:8080/bonita/portal/homepage#?id="+activityInstanceId+"&_p=performTask&_pf=1"

And I was surprised when i check multiple users and everyone can perform the task simply login at the portal. Is this behavior correct? Is there any way to limit which users can perform a task?

Sorry for my English and thanks in advance.

Rubén Zornoza.

Edit: I try to open a Issue at https://bonita.atlassian.net/ but after registration i simply have not the "Create issue" button.

Comments

Submitted by rahmi.hichem on Wed, 07/09/2014 - 17:22

You can manage this by filtring your users : Actor ->Actor filter -> Initiator, like this just the one who initialize the process who will get the notification

Permalink
Submitted by ruben_zornoza on Wed, 07/09/2014 - 17:42

Thank you rahmi.

My connector just send the email to the users in the lane group, so just the users who can do the task will receive the notification. The problem is that any user can perform any task just playing with the "id" parameter at the URL.

This can be a security problem because, in fact, anyone "can" do any task. So there is no access control of which user can access to a task or do a task not in the portal, neither in the engine. And that is quite worrying.

Thank you again!

Permalink
Submitted by rahmi.hichem on Thu, 07/10/2014 - 10:38

You can hundle this by assigning to your users (who can do the task) a specify group or a specify role in the groupe

Permalink
Submitted by yannick.lombardi on Thu, 07/10/2014 - 10:39

When you send your email, you need to also send a message event where the message contains the name of the user. Before the task you want to assign, you need to catch this message and then create a filter that assign the task to a user (like says rahmi.hichem).

Permalink
Submitted by ruben_zornoza on Thu, 07/10/2014 - 13:21

I have made a few more tests.

With the URL any user can perform the task, even if the task was assigned to another user, so assign the task will not solve the problem. The problem is that with a URL any user can perform any human task, no matter the actor or assignation of the task.

I set one actor to the lane, I assign the task to a user, and nothing seems to matter. Any user can perform the task even if the user is not in the actors group and the task was assigned to another user.

When performing a task is not taken into account either the actor or the user assigned to the task.

The user, theoretically, can not perform the task. The user is not in the task's actors group and the task is already assigned to another user. But nothing matter, the user go to the link, access with his user/pass and can do the task ( with a user that "can not" perform the task). And this is the real problem.

Try it by yourself, go to a form task, copy the URL of the form, log out, log in with a user that "can not" perform the task and paste the URL of the task in the navigation bar. You will see the form and can perform the task.

No matter the actor, no matter the assignment, if a user has the id of a human task he can perform it with a single URL. That is worrying. And i think that is a bug.

Thank you everyone.

P.D: Bonita Version 6.3.2.

Permalink
Submitted by yannick.lombardi on Thu, 07/10/2014 - 14:06

I have Bonita 6.3.1 and when I assign a task to a user, if I give the url to another user he see this message :

Access denied: you do not have the rights to view this page.

So, I think your actor mapping is not good. You must miss something

Permalink
Submitted by haris.subasic on Thu, 07/10/2014 - 14:23

Ruben, you should upgrade to the latest version, as yannicklombardi said. Which version are you using?

Permalink
5 answers

Submitted by ruben_zornoza on Fri, 07/11/2014 - 10:17
1
+1
-1
This one is the BEST answer!

After a few more tests i can confirm it.

Is a bug in the 6.3.2 version. I have imported the process in a 6.3.1 environment and the behavior is the correct one, if a user try to access to a task and is not in the actor settled to the task a message warning that the user have no permission to access to that task is shown and the user can not perform the task.

But is confirmed, in 6.3.2 version there is a bug that allow any user perform any task. even if the task is assigned to another user and the method "canExecuteTask" return false for the user who perform the task.

Thank you again.

P.D: I will mark this post as solved and try to open a issue, thank you everyone.

P.P.D: I still can not add a new comment...

Submitted by ruben_zornoza on Thu, 07/10/2014 - 18:12
1
0
-1

I test the process at 6.3.1 and in this version all works perfectly. I will make more tests, but it seems a 6.3.2 bug.

Comments

Submitted by haris.subasic on Fri, 07/11/2014 - 09:33

OK, let us know what are the results, especially if you confirm that it does not work in 6.3.2

Permalink

Submitted by ruben_zornoza on Thu, 07/10/2014 - 16:21
1
0
-1

(Can not post comments again, sorry)

Thank you again Haris,

The actor mapping seems correct, in the portal's tasks list the task is only displayed to the users in the group defined in the actor (but if a user that is not in this group have the URL he can perform the task, sorry for repeat it).

I made a test with a assigned task, hiding a field with "insert widget if" "apiAccessor.getProcessAPI().canExecuteTask(activityInstanceId, loggedUserId)" and when the task is assigned to another user the field is hidden, but the user can perform the task anyway even when the method canExecuteTask has returned false.

I will try some test at 6.3.1 version.

Thank you one more time.

P.D: I'm executing this from the Bonita Studio(64bit) in a windows 7 64bit with a JRE 1.7 and the default h2 database and tomcat. If this may give some clues.

Comments

Submitted by yannick.lombardi on Thu, 07/10/2014 - 16:31

Did you use an Actor Filter ?

Permalink

Submitted by ruben_zornoza on Thu, 07/10/2014 - 14:33
1
0
-1

(Sorry for post a response but the forum don't let me post a comment...) Hi Haris, I'm using Bonita 6.3.2, the last version available. I will check with a previous version.

Anyway, i think that a task can only be assigned to one user and not to a group or a role. If this is the only solution i will can not limit the access to a task to a group of users.

Thank you all again.

P.D: Downloading Bonita 6.3.1...

Comments

Submitted by haris.subasic on Thu, 07/10/2014 - 15:14

If you are using 6.3.2, there is no need to downgrade, it will work the same way in 6.3.2 (even better :)). Your problem must be coming from the actor mapping. Make sure that you use actors and actor filters properly. Then test with someone who does not make part of the group to which the task is assigned - you should be restricted. You can also try to assign a task to one person in the Portal and then try accessing to it with another user, as a test. This will show you that you have an issue in actor mapping. And let us know ;)

Permalink

Submitted by sylvain.bailly on Wed, 07/09/2014 - 14:33
1
0
-1

Normally on your process you define which group/role/user can perform a task. By default, your task takes the autor of the lane but u can precise manually which actor can do the task.

Check the actors fields. It must solve the problem.

Comments

Submitted by ruben_zornoza on Thu, 07/10/2014 - 13:29

I post a comment in the question. I also test to assign a different actor to the task and the result is the same. Any user can perform any task. Try it by yourself, go to a form task, copy the URL of the form, log out, log in with a user that "can not" perform the task and paste the URL of the task in the navigation bar. You will see the form and can perform the task.

Thank you for your reply.

P.D: Bonita version 6.3.2. Community Edition.

Permalink
Notifications