Atlassian uses cookies to improve your browsing experience, perform analytics and research, and conduct advertising. Accept all cookies to indicate that you agree to our use of cookies on your device. Atlassian cookies and tracking notice, (opens new window)
Window Toolbar attached processes are doesn't validate role access
Description
Hi, we have tested 7.1 and found toolbar attached processes don't validate role access.
suggested behaviour: processed attached to the toolbar must consider logged in user role access definition.
norbertbede
toolbar button access define buttons visibility i suppose. we have in this case a specific button - not in scope of toolbar. for me that means gear icon must be controlled by role.
carlosruiz
18:08
yes - I think process access is required - toolbar button access is additional
Environment
tested 3.1 & 7.1
Activity
Show:
Carlos Ruiz September 20, 2020 at 12:31 PM
Test case reproducible in vanilla GardenWorld:
Role=GardenWorld User
Window=View Allocation
Button=Reset Allocation Direct
Executing the button throws -> You cannot access process [Reset Allocation Direct] with your role : GardenWorld User
Igor Pojzl September 16, 2020 at 12:54 PM
Created PR, added Role check on ToolbarButtons added from Columns. (AD_Column, Type:Button, IsToolbarButton = 'Y')
Norbert Bede September 16, 2020 at 11:47 AM
can’t be - it was reproduced in 7.1z - preparing PR.
Hi, we have tested 7.1 and found toolbar attached processes don't validate role access.
suggested behaviour: processed attached to the toolbar must consider logged in user role access definition.
norbertbede toolbar button access define buttons visibility i suppose. we have in this case a specific button - not in scope of toolbar. for me that means gear icon must be controlled by role. carlosruiz 18:08 yes - I think process access is required - toolbar button access is additional