4 Replies Latest reply on May 6, 2015 4:29 AM by ahmedza

    KIE Workbench Security Vulnerability - “USER” role is able to see assets and can update doing a URL copy from admin user's screen

    ahmedza
    ahmedza Apr 28, 2015 1:58 AM

      I am getting the following user right issues with the KIE-WORKBECNH login.

      Problem Statement

      "USER" role is able to see assets and can update assets. As per documentation, User role can not view or modify an asset. This is happening following the below steps of copying URLs. Screen shots are attached for reference. (Screen Shots attached)

      Versions Used 1. 6.1.0.Final

      Steps To Reporoduce

      1. Login with Admin/Developer role.
      2. Open an asset in KIE Workbench. Example, open a BPMN2 file.
      3. Copy the URL.
      4. Logout from Admin/Developer role
      5. Login as USER role
      6. Paste the URL from STEP# 3

      After performing above steps "USER" role is able to change update the asset.Expected Solution

      1. Can the security be enabled using a configuration
      2. Or is this a security loop hole that needs a patch.
      3. Kindly let us know, if it is fixed in KIE-WORKBENCH 6.2.0.Final