inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

PRODSEC-6261 - Add the missing Object Level Authorization call (#1160)

Browse Source 
* PRODSEC-6261 Add 'shouldNotGetProcessesByNotInvolvedUser' test

* PRODSEC-6261 Add user validation to 'getProcess' method

* PRODSEC-6261 Add TestRail annotation minor fix
This commit is contained in:
Damian Ujma
2022-06-20 11:59:25 +02:00
committed by GitHub
parent cc9fe10c05
commit 7c0f6998ec
2 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/workflow/processes/GetProcessSanityTests.java
View File

@@ -16,7 +16,7 @@ import org.testng.annotations.Test;
*/ */
public class GetProcessSanityTests extends RestTest public class GetProcessSanityTests extends RestTest
{ {
private UserModel userWhoStartsProcess, assignee; private UserModel userWhoStartsProcess, assignee, user;
private RestProcessModel addedProcess, process; private RestProcessModel addedProcess, process;
@BeforeClass(alwaysRun = true) @BeforeClass(alwaysRun = true)
@@ -24,6 +24,7 @@ public class GetProcessSanityTests extends RestTest
{ {
userWhoStartsProcess = dataUser.createRandomTestUser(); userWhoStartsProcess = dataUser.createRandomTestUser();
assignee = dataUser.createRandomTestUser(); assignee = dataUser.createRandomTestUser();
user = dataUser.createRandomTestUser();
addedProcess = restClient.authenticateUser(userWhoStartsProcess).withWorkflowAPI().addProcess("activitiAdhoc", assignee, false, CMISUtil.Priority.High); addedProcess = restClient.authenticateUser(userWhoStartsProcess).withWorkflowAPI().addProcess("activitiAdhoc", assignee, false, CMISUtil.Priority.High);
} }
@@ -59,4 +60,13 @@ public class GetProcessSanityTests extends RestTest
process.assertThat().field("id").is(addedProcess.getId()) process.assertThat().field("id").is(addedProcess.getId())
.and().field("startUserId").is(addedProcess.getStartUserId()); .and().field("startUserId").is(addedProcess.getStartUserId());
} }
@TestRail(section = { TestGroup.REST_API, TestGroup.PROCESSES }, executionType = ExecutionType.SANITY,
description = "Verify User that is not involved in a process cannot get that process using REST API and status code is FORBIDDEN (403)")
@Test(groups = { TestGroup.REST_API, TestGroup.WORKFLOW, TestGroup.PROCESSES, TestGroup.SANITY })
public void shouldNotGetProcessesByNotInvolvedUser() throws Exception
{
process = restClient.authenticateUser(user).withWorkflowAPI().usingProcess(addedProcess).getProcess();
restClient.assertStatusCodeIs(HttpStatus.FORBIDDEN);
}
} }

2
remote-api/src/main/java/org/alfresco/rest/workflow/api/impl/ProcessesImpl.java
View File

@@ -512,6 +512,8 @@ public class ProcessesImpl extends WorkflowRestImpl implements Processes
throw new InvalidArgumentException("processId is required to get the process info"); throw new InvalidArgumentException("processId is required to get the process info");
} }
validateIfUserAllowedToWorkWithProcess(processId);
HistoricProcessInstance processInstance = activitiProcessEngine HistoricProcessInstance processInstance = activitiProcessEngine
.getHistoryService() .getHistoryService()
.createHistoricProcessInstanceQuery() .createHistoricProcessInstanceQuery()