FOUR-27623 | Users Can View All Cases Without “View All Cases” Permission#8834
FOUR-27623 | Users Can View All Cases Without “View All Cases” Permission#8834mcraeteisha wants to merge 7 commits into
Conversation
Add authorization checks for the "All cases" listing. CasesController@index now accepts an optional $type param and aborts with 403 when $type === 'all' and the current user lacks the view-all_cases permission (admins allowed via Gate::before). The API route get_all_cases is also protected with the can:view-all_cases middleware to ensure the underlying endpoint is gated.
Add tests to enforce and validate the 'view-all_cases' permission. API test (Api\V1_1\CaseControllerTest) initializes permissions, creates a non-admin user and sample cases, asserts a 403 response without the permission and 200 with the permission (and checks the returned data count). Web tests (CasesControllerTest) register the Gate/Permission, assert the 'all' cases page returns 403 for users without the permission and 200 for users with it, and confirm other tabs and the default cases page remain accessible. Also add required Gate/Permission imports.
Add authorization in getAllCases to allow users to fetch cases scoped to themselves while requiring the 'view-all_cases' permission for broader queries. The code retrieves the authenticated user and requested userId, allows the request if it's for the user's own cases, and aborts with 403 if the caller lacks the permission (admins continue to be handled via Gate::before).
Ensure the 'view-all_cases' permission row exists and register a Gate in tests so the can:view-all_cases middleware is enforceable. Update the existing forbidden test to define the permission and Gate, and add two new tests: one that confirms a user can view their own cases (scoped by userId) without the global permission, and another that verifies a user cannot view another user's cases without the permission and that granting it restores access. Creates test data via factories and asserts correct response codes and payload counts.
|
QA server K8S was successfully deployed https://ci-a92011700c.engk8s.processmaker.net |
eiresendez
left a comment
eiresendez
left a comment
There was a problem hiding this comment.
🔴 [ProcessMaker/Http/Controllers/Api/V1_1/CaseController.php:53] The new unscoped get_all_cases permission check breaks existing all-cases search tests. This is confirmed in GitHub Actions: run-phpunit is failing with 8 failures where CaseControllerSearchTest expected 200 but received 403.
Suggested fix: update CaseControllerSearchTest so tests that intentionally exercise all-cases search run as a user with view-all_cases, or pass userId only for tests that should validate self-scoped access.
|
|
QA server K8S was successfully deployed https://ci-a92011700c.engk8s.processmaker.net |
eiresendez
left a comment
eiresendez
left a comment
There was a problem hiding this comment.
👍 👍
The fix now matches the authorization contract: unscoped get_all_cases requires view-all_cases, while self-scoped userId access remains allowed.
3 participants
Issue
Ticket: FOUR-27623
Users without the "View All Cases" permission can still see every case in the platform by navigating directly to
/cases/all.Solution
Added permission checks for
view-all-cases.The web check at
ProcessMaker/Http/Controllers/CasesController.php—index()produces the proper "Not Authorized" page.ProcessMaker/Http/Controllers/Api/V1_1/CaseController.php—getAllCasesnow checks the requesteduserIdand only requiresview-all_caseswhen the request is not scoped to the authenticated user. This protects the data from direct API access while preserving the "My Cases" tab for everyone.Added test coverage:
tests/Feature/CasesControllerTest.php— three new tests on the web route:testCasesAllPageReturns403WithoutViewAllCasesPermission— non-admin without the permission gets a 403 and sees the "Not Authorized" page text.testCasesAllPageReturns200WithViewAllCasesPermission— once granted, the user can access/cases/alland thecases.casesMainview renders.testCasesOtherTabsRemainAccessibleWithoutViewAllCasesPermission— regression guard that/cases,/cases/in_progress, and/cases/completedstay accessible for everyone.tests/Feature/Api/V1_1/CaseControllerTest.php— three new tests on the API route:test_get_all_cases_forbidden_without_view_all_cases_permission— an unscoped request (the "All cases" tab) returns 403 for a non-admin without the permission, and 200 once granted.test_get_all_cases_allows_user_to_view_their_own_cases_without_permission— a self-scoped request (userId = self, the "My cases" tab) returns 200 even with no special permission, and other users' cases never leak into the response.test_get_all_cases_forbids_user_from_viewing_another_users_cases_without_permission— asking for another user's cases (userId = other) returns 403 without the permission, and 200 with it. Locks in the regression that any authenticated user could otherwise iterate userIds to enumerate every user's cases.How To Test
phpunit tests/Feature/CasesControllerTest.phptestCasesAllPageReturns403WithoutViewAllCasesPermissionpassestestCasesAllPageReturns200WithViewAllCasesPermissionpassestestCasesOtherTabsRemainAccessibleWithoutViewAllCasesPermissionpassesphpunit tests/Feature/Api/V1_1/CaseControllerTest.phptest_get_all_cases_forbidden_without_view_all_cases_permissionpassestest_get_all_cases_allows_user_to_view_their_own_cases_without_permissionpassestest_get_all_cases_forbids_user_from_viewing_another_users_cases_without_permissionpassesView All Cases.View All Casesgranted directly under user permissions (Cases and Requests)./cases/allin the browser.ci:deploy
Code Review Checklist