[avromeo]

Hi,

I have an API generic user that I would like to use to get all case information (particularly, the grid information). I am running it in Postman, and get a Bad Request: You do not have permission to see this case or you have not participated in it.

I can get the general information on the case via advanced-search, but cannot drill in further. What permissions does my generic user need in order to retrieve case information?

[amosbatto]

Your user needs to have a role which contains the PM_ALLCASES permission in order to see the list of all cases. In order to be able to open the case and see the DynaForm containing the grid, you need to give your user Process Permissions to access the task which contains the DynaForm with the grid. If you want write access to the grid data, then your user needs to be assigned as a Process Manager to the process and the DynaForm containing the grid.

The other option is to export the grid to a Report Table and use an SQL query to obtain the grid data.

If you are doing all of this via the REST API, you can use GET /cases/{app_uid}/variables to get the variable for the grid in each case. I personally find it more convenient to create a trigger which queries a Report Table and assigns the result of that query to a case variable. Then call PUT /cases/{app_uid}/execute-trigger/{tri_uid} to set the variable and then call GET /cases/{app_uid}/variables to retrieve the results of the query stored in a case variable.

[avromeo]

I'm still having trouble. I can get the list of app_uid's by using GET /cases/advanced-search, but when I use the GET /cases/{app_uid}/variables, I get an Unauthorized error.

I set up the process so that the permissions are allowed for APIUser (No participation, ANY type, All Object, VIEW Permission, and ALL status). I also set it up so that the APIUser is an Ad hoc user on all tasks in the form. APIUser has PM_ALLCASES and PM_REST_API_APPLICATIONS. Am I missing something else?

[amosbatto]

You are right. ProcessMaker is not checking whether the user has Process Permissions to access the case. For now you can get around this problem by editing the file workflow/engine/src/ProcessMaker/Services/Api/Cases.php and at line 900, change the code from:

Code: Select all

    /**
     * Get Case Variables
     *
     * @access protected
     * @class  AccessControl {@className \ProcessMaker\Services\Api\Cases}

To:

Code: Select all

    /**
     * Get Case Variables
     *
     * @class  AccessControl {@className \ProcessMaker\Services\Api\Cases}

Then, delete the REST routes file at shared/sites/{workspace}/routes.php

Note: On older versions it is located at shared/routes.php

The next time you call a REST endpoint this file will be regenerated. Now you should be able to access the variables with the endpoint.

I will file a bug report about this, because it is a potential security hole when any REST user can access the variables of any case. The problem is that "protected" access only checks whether the user is assigned to the case, but Process Permissions are designed to work on the task level, not the entire case and this endpoint doesn't specify a task. I wonder if a new Process Permission will need to be created to cover this situation.

[amosbatto]

I filed an internal bug report about this issue at: https://processmaker.atlassian.net/browse/TRI-2988