[MGNLWORKFLOW-179] Any user can launch a workflow regardless of their permissions Created: 10/Dec/13  Updated: 11/Dec/13  Resolved: 11/Dec/13

Status: Closed
Project: Magnolia Workflow Module
Component/s: Base
Affects Version/s: 5.2
Fix Version/s: 5.2.1

Type: Bug Priority: Critical
Reporter: Federico Grilli Assignee: Federico Grilli
Resolution: Fixed Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
causality
is causing MGNLUI-2510 UI shouldn't enable actions for which... Closed
relation
is related to MGNLWORKFLOW-178 Workflow roles do not grant access to... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled

 Description   

As long as a workflow action is available in the UI, there's no security check regarding the grants owned by the current user.
The basic rule should be "user has Read+Write grants on the workflow workspace AND has at least Read grant on the node they're trying to publish.


Generated at Mon Feb 12 10:07:32 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.