Skip to content

Enforce Admin-Only Updates for Case Retention Policy via API#8765

Open
sanjacornelius wants to merge 3 commits intoepic/FOUR-29101from
observation/FOUR-30278
Open

Enforce Admin-Only Updates for Case Retention Policy via API#8765
sanjacornelius wants to merge 3 commits intoepic/FOUR-29101from
observation/FOUR-30278

Conversation

@sanjacornelius
Copy link
Copy Markdown
Contributor

@sanjacornelius sanjacornelius commented Mar 31, 2026
edited by atlassian bot
Loading

Issue & Reproduction Steps

This PR resolves an issue where non-admin users were able to modify Case Retention Policy configurations via the API. With this change, only admin users can update retention-related fields, ensuring proper authorization at the backend level.

Solution

  • Added a check to verify if the authenticated user is an admin before persisting retention-related configuration changes
  • For non-admin users, retention-related fields are reverted to their original values prior to saving

How to Test

  1. Authenticate as a non-admin user
  2. Send a PUT request to /api/1.0/processes/{id} with retention policy updates
  3. Verify that retention-related changes are not persisted

Related Tickets & Packages

ci:deploy

Code Review Checklist

  • I have pulled this code locally and tested it on my instance, along with any associated packages.
  • This code adheres to ProcessMaker Coding Guidelines.
  • This code includes a unit test or an E2E test that tests its functionality, or is covered by an existing test.
  • This solution fixes the bug reported in the original ticket.
  • This solution does not alter the expected output of a component in a way that would break existing Processes.
  • This solution does not implement any breaking changes that would invalidate documentation or cause existing Processes to fail.
  • This solution has been tested with enterprise packages that rely on its functionality and does not introduce bugs in those packages.
  • This code does not duplicate functionality that already exists in the framework or in ProcessMaker.
  • This ticket conforms to the PRD associated with this part of ProcessMaker.

@sanjacornelius
Restrict retention fields to administrators
6762c1d 
Remove retention-related properties (retention_period, retention_updated_by, retention_updated_at) from the change set if the current user is not an administrator. This ensures only administrators can modify retention settings when publishing a process.
@sanjacornelius
Restrict retention updates to administrators
4192138 
Prevent non-administrators from modifying retention fields by unsetting retention_updated_by, retention_updated_at and retention_period from the process properties before save.
@sanjacornelius
Preserve retention metadata for non-admins
0dcaa1d 
Replace inline unsets with restoreProcessRetentionPropertiesFromOriginal. For non-administrator updates, reapply retention-related keys (retention_updated_by, retention_updated_at, retention_period) from the original model snapshot—decoding string-encoded properties if needed—and restore or remove keys to match the original state. This prevents non-admins from adding or modifying retention metadata and handles different properties formats robustly.
@processmaker-sonarqube
Copy link
Copy Markdown

processmaker-sonarqube bot commented Mar 31, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@Kookster310
Copy link
Copy Markdown
Contributor

Kookster310 commented Mar 31, 2026

QA server K8S was successfully deployed https://ci-9079376f1b.engk8s.processmaker.net

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcraeteisha mcraeteisha mcraeteisha approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sanjacornelius @Kookster310 @mcraeteisha