Showing process ids otherwise inaccessible when filtering with org

[pranavparikh]

When logged in with a non admin account , /api/v2/process?initiator=myusername&limit=50 doesn’t return the process id from the org where the user doesn't have access to. But we do see such process ids with this call /api/v2/process?orgName=notmyorgname&&initiator=nonadminuser&projectName=notmyproject&limit=50 . If the user doesn’t have access to the org and the project, should it still show the processes if filtered by the org and project name?

[ibodrov]

It should behave like the v1 version and judging by the code it already does the filtering based on the current user's orgs and projects, e.g. https://github.com/walmartlabs/concord/blob/master/server/impl/src/main/java/com/walmartlabs/concord/server/process/ProcessResourceV2.java#L252

Can you make a test to illustrate the issue?

[ibodrov]

Hey @pranavparikh! Any updates? Should we keep the issue open?

[pranavparikh]

@ibodrov ,
Let me try making a test

[ibodrov]

@pranavparikh any progress or should we close this?

[pranavparikh]

@ibodrov ,
Can you check out this test ?