Skip to content

Protect designer route with shared gate and add forbidden access test #8637

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
eiresendez wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Protect designer route with shared gate and add forbidden access test #8637

eiresendez wants to merge 2 commits into from
+21 −8

Conversation

@eiresendez
Copy link
Contributor

@eiresendez eiresendez commented Dec 8, 2025
edited
Loading

Issue & Reproduction Steps

An authenticated user with no designer permissions could load /designer directly.
Repro: create a user with no designer permissions, log in, visit /designer; the page renders instead of returning 403.

Solution

  • Register the view-designer gate in AuthServiceProvider::defineGates() and reuse it in menu middleware.
  • Protect the designer.index route with can:view-designer, so menu visibility and route access share the same rule.
  • Add a feature test that asserts a 403 for users without designer permissions hitting /designer.

How to Test

  1. Run php artisan test --filter=DesignerControllerTest.
  2. Manual: log in as a user without designer permissions and visit /designer; expect 403. Log in as an admin or a user with designer permissions; the designer page should load.

Related Tickets & Packages

ci:deploy

Code Review Checklist

  • I have pulled this code locally and tested it on my instance, along with any associated packages.
  • This code adheres to ProcessMaker Coding Guidelines.
  • This code includes a unit test or an E2E test that tests its functionality, or is covered by an existing test.
  • This solution fixes the bug reported in the original ticket.
  • This solution does not alter the expected output of a component in a way that would break existing Processes.
  • This solution does not implement any breaking changes that would invalidate documentation or cause existing Processes to fail.
  • This solution has been tested with enterprise packages that rely on its functionality and does not introduce bugs in those packages.
  • This code does not duplicate functionality that already exists in the framework or in ProcessMaker.
  • This ticket conforms to the PRD associated with this part of ProcessMaker.

@cursor
Copy link

cursor bot commented Dec 8, 2025

You have run out of free Bugbot PR reviews for this billing cycle. This will reset on December 21.

To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

@mcraeteisha mcraeteisha self-requested a review December 8, 2025 17:25
@vladyrichter
Copy link

vladyrichter commented Dec 19, 2025

QA server K8S was successfully deployed https://ci-5742247152.engk8s.processmaker.net

@processmaker-sonarqube
Copy link

processmaker-sonarqube bot commented Dec 19, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcraeteisha mcraeteisha mcraeteisha approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@eiresendez @vladyrichter @mcraeteisha