search

Taskana / taskana

Lightweight library for general purpose task management
https://taskana.pro
Apache License 2.0
96 stars 101 forks source link

commonTaskQueryOracle doesn't check permissions #2304

Open ryzheboka opened 1 year ago

ryzheboka commented 1 year ago

commonTaskQueryOracle doesn't have an authorization check. That's why during selectAndClaim, an Exception is thrown except returning an empty Optional. The exception looks like this:

SystemException [errorCode=ErrorCode [key=CRITICAL_SYSTEM_ERROR, messageVariables={}], message=Did not find a Workbasket for task (Id=TKI:0254453f-d8e1-4515-9f0a-734e98371baf,Workbasket=WBI:64f04353-e7c0-4234-8db8-a85a3ba10e82)]
    at pro.taskana.task.internal.TaskServiceImpl.addWorkbasketSummariesToTaskSummaries(TaskServiceImpl.java:2012)
    at pro.taskana.task.internal.TaskServiceImpl.appendComplexAttributesToTaskSummariesWithoutPartitioning(TaskServiceImpl.java:1168)

The reason for the exception is the following: The query for selectAndClaim returns a Task althjough it shouldn't. Then, TASKANA tries to append a Workbasket to this Task and fails because of missing permission. @arolfes , was it intended that Oracle query doesn't have authorization checks? Could please look into it?

nyuuyn commented 1 year ago

Is there a way to reproduce this problem via the test available ?