Issue & Reproduction Steps

Users without the appropriate permissions can see a list of screens, data connectors, and decision tables.

Steps to Reproduce:

1. Log in as an admin.
2. Create a user without permissions.
3. Log out and then log in with the newly created user.
4. Create a project.
5. Open the project and add some assets (Process, Screen, Scritp, DataConnector, Decision Table).
6. Attempt to edit or configure each asset.
7. From the breadcrumb, attempt to see a list of the assets
8. Click on the sidebar icons.

At this moment, we're able to see a list of Screens, DataConnector and Decision Tables

Solution

Modify the $allowedEndpoints array to explicitly include the specific endpoint corresponding to the current user's own assets. This will grant the user permission to modify their assets while continuing to restrict access to the system's other assets.

How to Test

Please follow the 'Steps to Reproduce' and verify that in steps 7 and 8, the user encounters an 'unauthorized' page, confirming that access is correctly restricted.

Related Tickets & Packages

• Ticket: FOUR-14018

ci:next

Code Review Checklist

• I have pulled this code locally and tested it on my instance, along with any associated packages.
• This code adheres to ProcessMaker Coding Guidelines.
• This code includes a unit test or an E2E test that tests its functionality, or is covered by an existing test.
• This solution fixes the bug reported in the original ticket.
• This solution does not alter the expected output of a component in a way that would break existing Processes.
• This solution does not implement any breaking changes that would invalidate documentation or cause existing Processes to fail.
• This solution has been tested with enterprise packages that rely on its functionality and does not introduce bugs in those packages.
• This code does not duplicate functionality that already exists in the framework or in ProcessMaker.
• This ticket conforms to the PRD associated with this part of ProcessMaker.