We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A user can still create sub-processes for a case via the REST endpoint regardless of whether the Execution.create permission is given to the user.
The following endpoint is vulnerable for this exploit:
/api/v1/process-definition/{processDefinitionId}/start-form?documentId={documentId}
Affected versions: Tested on next-minor (12.3.0), but presumably from > 11.0.0 onwards where PBAC was introduced.
Reproduction path on next-minor (local app/gzac instance):
app/gzac
Login as user
create a case for leningen with an amount < 20000
leningen
Validate that you can create the sub-process Lening aanvragen with an adjusted name
Lening aanvragen
On a new incognito window, login as admin
Remove all existing user-role permissions for the Execution resource
Go back to the window with the user session without refreshing or navigating
Validate that you can still create the sub-process Lening aanvragen with an adjusted name
Refresh the page, and validate that the button is now disabled, which means this permission is only validated in the frontend.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
A user can still create sub-processes for a case via the REST endpoint regardless of whether the Execution.create permission is given to the user.
The following endpoint is vulnerable for this exploit:
/api/v1/process-definition/{processDefinitionId}/start-form?documentId={documentId}Affected versions: Tested on next-minor (12.3.0), but presumably from > 11.0.0 onwards where PBAC was introduced.
Reproduction path on next-minor (local
app/gzacinstance):Login as user
create a case for
leningenwith an amount < 20000Validate that you can create the sub-process
Lening aanvragenwith an adjusted nameOn a new incognito window, login as admin
Remove all existing user-role permissions for the Execution resource
Go back to the window with the user session without refreshing or navigating
Validate that you can still create the sub-process
Lening aanvragenwith an adjusted nameRefresh the page, and validate that the button is now disabled, which means this permission is only validated in the frontend.
The text was updated successfully, but these errors were encountered: