[MGNLWORKFLOW-350] Tasks don't carry the same permission restrictions as the content associated with them Created: 31/Jan/17 Updated: 23/Aug/22 |
|
| Status: | Open |
| Project: | Magnolia Workflow Module |
| Component/s: | jBPM |
| Affects Version/s: | 5.6 |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Neutral |
| Reporter: | Antti Hietala | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
| Team: |
| Description |
|
Today, everyone in the publishers group can see all tasks in Pulse. This is a problem with sensitive content. Only users who have a permission to view the content item should see the task. The task should be considered metadata about the content and carry the same permission restrictions. Example: A small group of editors creates a sensitive press release /news/ceo-steps-down. It is critical that this information is not released until the page is public. Only the small group of editors have permission to view the page on the author instance. However, when the page is published everybody in the bigger publishers group can see the task in Pulse, including the item path and the node name. The news has leaked. Summary:
|