Hi,
I recently updated my bonita to the 6.5.3 version (please, don’t tell me to use 7.X).
When I try to modify (PUT) a caseVariable using REST API, I’m facing an “403 Forbidden” as a User (User1), but it doesn’t occur as an Administrator(Admin1).
The pending task is assigned to User1 and I can read (GET) the caseVariable.
According to the security-scripts, they seems to use the same “way” to determine if a user is allowed (or not) to execute the request.
class CaseVariablePermissionRule implements PermissionRule {@Override
public boolean isAllowed(APISession apiSession, APICallContext apiCallContext, APIAccessor apiAccessor, Logger logger) {
long currentUserId = apiSession.getUserId();
def resourceId = apiCallContext.getResourceId()
def processAPI = apiAccessor.getProcessAPI()
try {
if ((apiCallContext.isPUT() || apiCallContext.isGET()) && resourceId != null) {
// Resource format: <processInstanceId>/<caseVariableName>
def caseId = Long.valueOf(resourceId.tokenize("/").first())
def processInstance = processAPI.getProcessInstance(caseId)
return processAPI.isUserProcessSupervisor(processInstance.getProcessDefinitionId(), currentUserId)
}
def filters = apiCallContext.getFilters()
if (apiCallContext.isGET() && filters.containsKey("case_id")) {
def caseId = Long.valueOf(filters.get("case_id"))
def processInstance = processAPI.getProcessInstance(caseId)
return processAPI.isUserProcessSupervisor(processInstance.getProcessDefinitionId(), currentUserId)
}
return false
} catch (NotFoundException e) {
return true
}
}
}
Did you face the same issue ?
Thanks !