Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-20366

any user can modify an existing workflow in ACS

    Details

    • Bug Priority:
      Category 3
    • ACT Numbers:

      00985343

      Description

      Description:

      In Alfresco 5.2.4 out of the box, any user have full rights to workflow packages (path: /sys:system/sys:workflow/cm:packages). 

      If they type the package noderef ID in Share, they can edit the workflow properties (example: http://localhost:8080/share/page/document-details?nodeRef=). 

      A non-admin user can therefore modify a workflow in progress or completed, while he has no rights on it. 

      Steps to reproduce:

      1- Start a workflow on a node (for example "Send Document(s) For Review") 

      2- Find the NodeRef of the workflow package 

      With an admin account, Admin tools => Node Browser, search " /sys:system/sys:workflow/cm:packages " by xPath and click on a child node (workflow package) 

      This step requires an admin account, but it can be possible than a basic user find the node by executing a query through API

      3- We can see that GROUP_EVERYONE has all permissions on that node 

      4- With a non admin user, without any tasks on the workflow, go to the edit page of the node: http://localhost:8080/share/page/context/mine/edit-metadata?nodeRef=${noderef found at step 2} 

      It's possible to edit workflow properties, for example the items ( bpm:packageContains ) 

      5- Workflow items changed 

      Current behaviour:

      A non admin user can modify an existing workflow and that makes the environment susceptible for an attack.

      Expected behaviour:

      A workflow should be modified only by the user who created it or is entitled to modify it. Any other user should have no permission on it.

      Additional info:
      1. Examples of the issue repro attached.

      2. When I also tested the same with the latest ACS version 6.1. I cannot reproduce it any longer as I get the following error when non-admin user try to click on the save button after changing one of the value. I attached the screenshot named Error_with_ACS6.1.png for further assistance.

      "Failure: An unknown error occurred. Please ask the administrator to check the log files for details."

        Attachments

          Structure

            Activity

              People

              • Assignee:
                shareteam Share Team
                Reporter:
                apetrache Alin Petrache
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Structure Helper Panel