[MGNLWORKFLOW-350] Tasks don't carry the same permission restrictions as the content associated with them Created: 31/Jan/17  Updated: 23/Aug/22

Status: Open
Project: Magnolia Workflow Module
Component/s: jBPM
Affects Version/s: 5.6
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Antti Hietala Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Team: AuthorX

 Description   

Today, everyone in the publishers group can see all tasks in Pulse. This is a problem with sensitive content. Only users who have a permission to view the content item should see the task. The task should be considered metadata about the content and carry the same permission restrictions.

Example: A small group of editors creates a sensitive press release /news/ceo-steps-down. It is critical that this information is not released until the page is public. Only the small group of editors have permission to view the page on the author instance. However, when the page is published everybody in the bigger publishers group can see the task in Pulse, including the item path and the node name. The news has leaked.

Summary:

  • Task should be considered metadata. It should carry the same permission restrictions as its content.
  • Users should only see Pulse tasks for content they have permission to view.
  • If I don't have permission to view a content then I should not see the task in Pulse either.

Generated at Mon Feb 12 10:09:13 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.