Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.8.4
Description
Background
Currently, when a job gets triggered via API, the permission of the authenticated user is evaluated, whether it has permission to run jobs, generally. If yes, the initiator user gets replaced by System user in the context, and the job’s actions get triggered using that context. There are no further permission checking while running jobs, e.g. for the specific job, or a step of the job.
Whenever any permission checking gets introduced, during running the job, performing actions will not be permitted, because by default the used System user does not have any permission - this could break currently running, live systems.
Goal
Have the permissions evaluated based on the authenticated user and the action, when triggering a job via API. Have job-specific permission.
Analysis
- to be evaluated, whether it worked like this earlier, or got broken when implementing features recently.