Skip to Main Content
Categories Security
Created by Guest
Created on Mar 25, 2024

Fix security issue on access to basic task linked to out of office exceptions management.

In case of out of office with exception, user not in the exception is able to do action with the link available from the worklist of user in the exception (with SharedUser=): https://nintex.k2test.net/Runtime/Runtime/Form/com.K2.System.Workflow.Form.BasicTask/?SN=5_43&_title=For%20Folio%20Folio%20test%202024-01-31%2015%3A10%3A46Z%20started%20by%20K2%3AK2TEST%5CSAF-K2TEST393-K2Svc&_url=&_embed=&SharedUser=K2:K2TEST\UserDestination


To reproduce:

A) Setup an out of office with exception. In my example: "User Destination" is out of office with a delegation to the service account, except for the K2FranceInstallationValidationWF: this one is for SupUser01.

B) Create an instance with destination "User Destination"

C) Verify that with the service account, you don't see the task.

D) With the account SupUser01, you can see the task in the worklist.

E) From SuperUser01 standard worklist, click on Open form: You can do action. But just copy the URL: https://nintex.k2test.net/Runtime/Runtime/Form/com.K2.System.Workflow.Form.BasicTask/?SN=5_43&_title=For%20Folio%20Folio%20test%202024-01-31%2015%3A10%3A46Z%20started%20by%20K2%3AK2TEST%5CSAF-K2TEST393-K2Svc&_url=&_embed=&SharedUser=K2:K2TEST\UserDestination

F) From Service account, past this URL in your browser.


Result: It's possible to do the action on this task

Expected result: The value should be empty like a case with bad url.


Maybe improvement of the basicTask url: Display the standard error that we have with the Openworkflist Item method from SmartForm:

Worklist item could not be opened. 24411 K2:DENALLIX\Administrator is not allowed to open the worklist item with SN=123_23


G) Go to report, click on Id of instance

H) Click on the Client event hyperlink of table "Activities"


Result:

Participant table is empty

In 'Events' table, we have only K2 service account.


Expected result:

We should see clearly all participants of this task and see that the service account done the action on behalf "User Destination".

After fix step H and do action with SuperUser01:

We should see clearly all participants of this task and see that the service account done the action on behalf SuperUser01.

  • Attach files
  • Guest
    Reply
    |
    Mar 25, 2024

    Note: same issue if we use a normal account: not linked to the service account.