The user with User profile can't view Timeline in case-details pages in User Application

owenjiao · 16 May 2022 10:09

Error reason:

When mapped a user with User profile, The user can start a process and submit a task very well. But the user can't view Timeline in case-details page, but when mapped the user with Administrator profile, he can view Timeline in case-details page very well, I don't know where I made mistakes with configuration. But I hope the user with User profile can view Timeline. Could you kindly give me some advices?

ENV:

Runtime -> docker image: bonita:7.13.

Databases: postgreSql.

Error Message:

1: Http response with 403 code

1)GET http://localhost:9898/bonita/portal/resource/app/userAppBonita/case-details/API/bpm/archivedCase/?p=0&c=1&d=started_by&d=startedBySubstitute&d=processDefinitionId&f=sourceObjectId=2 403

2)GET http://localhost:9898/bonita/portal/resource/processInstance/sva-demo/1.0/API/bpm/archivedCase?c=1&d=started_by&d=startedBySubstitute&d=processDefinitionId&f=sourceObjectId%3D2&p=0 403

3) GET http://localhost:9898/bonita/portal/resource/processInstance/sva-demo/1.0/API/bpm/task?p=0&c=999&d=executedBy&d=executedBySubstitute&d=assigned_id&f=caseId%3D2&f=type%3DUSER_TASK&o=last_update_date%20DESC 403
4) GET http://localhost:9898/bonita/portal/resource/processInstance/sva-demo/1.0/API/bpm/archivedHumanTask?p=0&c=999&d=executedBy&d=executedBySubstitute&f=caseId%3D2&o=reached_state_date%20DESC 403

2: The message under Timeline section is :

No Events yet. Nothing noticeable happened yet... But it surely will come!

nicolas.chabanoles · 3 June 2022 13:20

Hi,

As you can see from the HTPP error code, the user has not enough privileges to query the REST API consumed to fetch the data that is displayed as part of the timeline.

By default a simple user can only list the following tasks:

human tasks pending for him/her
human tasks he/she is assigned to
human tasks he/she has performed

He/she will be denied access to any other tasks (e.g. automatic, gateways, events, human tasks assigned to someone else, etc...)

If you want to grant access to the timeline to a User you have 3 options:

Grant the User the right to make the REST call needed by the Timeline ==> /!\ may be a security breach as the user will be allowed to list tasks not designed for him/her (I do not know your context and cannot say if that is an option or not for you; chances are that this is not an option)
See https://documentation.bonitasoft.com/bonita/2022.1/identity/api-permissions-overview for reference
Modify the timeline to fetch only the subsets of tasks the user is allowed to see

Note: the Enterprise edition of Bonita has a more fine grained User Access Control capability that would probably help your use case.

hope this helps,

Captain Bonita

Topic		Replies	Views
error-403 on server for accessing case-detail (overview page) Q&A	11	32	9 August 2022
A user with profile "user" can not perform any actions Q&A	9	6	3 April 2020
Allowing any user to open any case overview Q&A	1	5	5 March 2021
A user with profile "user" can not perform any actions Q&A	6	0	1 April 2020
Administrator Profile is required to access /API/bpm/task and /API/bpm/timerEventTrigger Q&A bonita-runtime	2	6	10 July 2023

The user with User profile can't view Timeline in case-details pages in User Application

Related topics