FOUR-28520 Reassign > The imported process does not list all reassign… #8664
Conversation
… user list ## Description When Assignment type=process variable and variable Name (groups) is set with a correct value then when reassign button is pressed, only the process manager is listed. ## Related tickets https://processmaker.atlassian.net/browse/FOUR-28520
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| Route::post('users_task_count', [UserController::class, 'getUsersTaskCount'])->name('users.users_task_count_post') | ||
| ->middleware('can:view-users'); | ||
| Route::get('users_task_count', [UserController::class, 'getUsersTaskCount'])->name('users.users_task_count'); | ||
| Route::post('users_task_count', [UserController::class, 'getUsersTaskCount'])->name('users.users_task_count_post'); |
There was a problem hiding this comment.
Removed authorization allows any user to enumerate all users
The can:view-users middleware was removed from both GET and POST routes for users_task_count. The controller method getUsersTaskCount has no internal authorization check, so any authenticated user can now enumerate all active users in the system along with their usernames, names, and task counts. Without the assignable_for_task_id parameter, the endpoint returns all users, enabling information disclosure. Consider adding a more targeted permission check that validates the user's ability to reassign the specific task rather than removing authorization entirely.
|
… user list
Description
When Assignment type=process variable and variable Name (groups) is set with a correct value then when reassign button is pressed, only the process manager is listed.
Related tickets
https://processmaker.atlassian.net/browse/FOUR-28520
Note
Addresses incomplete reassign lists by moving user lookup to a single API and wiring components to it.
getReassignUsersintasks/apitoPOST users_task_countwithform_data(sanitized),assignable_for_task_id, optionalfilter, and excludescurrentTaskUserIdfrom resultsreassignMixin,TaskPreviewAssignment) to use the new API, passformDataandcurrentTaskUserId, debounce search, and add error handlingupdateReassignUserTasksPreviewintoTaskPreviewAssignment; simplifies toggle behaviorapi.phpto registerGET/POST users_task_countwithout the previous middleware guardsWritten by Cursor Bugbot for commit 4568f9a. This will update automatically on new commits. Configure here.