PRODSEC-6261 - Add the missing Object Level Authorization call (#1160)

* PRODSEC-6261 Add 'shouldNotGetProcessesByNotInvolvedUser' test * PRODSEC-6261 Add user validation to 'getProcess' method * PRODSEC-6261 Add TestRail annotation minor fix
2025-07-24 17:32:48 +00:00 · 2022-06-20 11:59:25 +02:00
parent cc9fe10c05
commit 7c0f6998ec
2 changed files with 14 additions and 2 deletions
--- a/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/workflow/processes/GetProcessSanityTests.java
+++ b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/workflow/processes/GetProcessSanityTests.java
@@ -16,7 +16,7 @@ import org.testng.annotations.Test;
 */
 public class GetProcessSanityTests extends RestTest
 {
-    private UserModel userWhoStartsProcess, assignee;
+    private UserModel userWhoStartsProcess, assignee, user;
    private RestProcessModel addedProcess, process;

    @BeforeClass(alwaysRun = true)
@@ -24,6 +24,7 @@ public class GetProcessSanityTests extends RestTest
    {
        userWhoStartsProcess = dataUser.createRandomTestUser();
        assignee = dataUser.createRandomTestUser();
+        user = dataUser.createRandomTestUser();
        addedProcess = restClient.authenticateUser(userWhoStartsProcess).withWorkflowAPI().addProcess("activitiAdhoc", assignee, false, CMISUtil.Priority.High);
    }

@@ -59,4 +60,13 @@ public class GetProcessSanityTests extends RestTest
        process.assertThat().field("id").is(addedProcess.getId())
                .and().field("startUserId").is(addedProcess.getStartUserId());
    }
+
+    @TestRail(section = { TestGroup.REST_API, TestGroup.PROCESSES }, executionType = ExecutionType.SANITY,
+            description = "Verify User that is not involved in a process cannot get that process using REST API and status code is FORBIDDEN (403)")
+    @Test(groups = { TestGroup.REST_API, TestGroup.WORKFLOW, TestGroup.PROCESSES, TestGroup.SANITY })
+    public void shouldNotGetProcessesByNotInvolvedUser() throws Exception
+    {
+        process = restClient.authenticateUser(user).withWorkflowAPI().usingProcess(addedProcess).getProcess();
+        restClient.assertStatusCodeIs(HttpStatus.FORBIDDEN);
+    }
 }
--- a/remote-api/src/main/java/org/alfresco/rest/workflow/api/impl/ProcessesImpl.java
+++ b/remote-api/src/main/java/org/alfresco/rest/workflow/api/impl/ProcessesImpl.java
@@ -511,7 +511,9 @@ public class ProcessesImpl extends WorkflowRestImpl implements Processes
        {
            throw new InvalidArgumentException("processId is required to get the process info");
        }
-        
+
+        validateIfUserAllowedToWorkWithProcess(processId);
+
        HistoricProcessInstance processInstance = activitiProcessEngine
                .getHistoryService()
                .createHistoricProcessInstanceQuery()