12.13.0 (backend only)
Breaking change: version 12.13.0 introduces the implementation of additional access control checks. Upgrading to this version without configuring extra permissions might cause errors and loss of functionality.
This version resolves the vulnerability (CVE 8,6) explained here.
At the moment of writing, only the 12.13.0 backend has been released. This page will be updated when the frontend release has been published as well.
New features - GZAC edition
Access control for Objects
Access Control checks have been implemented for interaction with the Objecten API. Because the Objects and Objecttypes are not part of the GZAC database, the permissions are limited to include only an action. The following actions are available:
view
view_list
create
modify
delete
An example of Object permissions look as follows:
"permissions": [
{
"resourceType": "com.ritense.objectenapi.security.Object",
"action": "create"
},
{
"resourceType": "com.ritense.objectenapi.security.Object",
"action": "modify"
},
{
"resourceType": "com.ritense.objectenapi.security.Object",
"action": "view"
},
{
"resourceType": "com.ritense.objectenapi.security.Object",
"action": "view_list"
},
{
"resourceType": "com.ritense.objectenapi.security.Object",
"action": "delete"
}
]
To reduce the impact of this breaking change, an application property has been added to disable the access control checks for Objects. The following properties can be set to false
:
valtimo.authorization.objectenapi.enabled
(application property), orVALTIMO_AUTHORIZATION_OBJECTENAPI_ENABLED
(environment variable)
Disabling the access control checks for Objects can be a severe security risk and is highly discouraged.
BPMN Modeling Improvements
Several enhancements have been made to improve the stability and default behavior when modeling BPMN processes:
Default ServiceTask expression
When a ServiceTask expression is left empty, it is now automatically set to
${null}
.This prevents errors when saving the process model.
Default SendTask expression
Similarly, when a SendTask expression is left empty, it is now set to
${null}
by default.
Default timer configuration
Timers without a defined value are now automatically set to 60 seconds.
This ensures timers always have a valid fallback configuration.
CallActivity business key propagation
New CallActivity elements are now automatically configured to propagate the business key.
This avoids common modeling issues where the document ID would otherwise be lost.
MessageSendEvent correlation behavior
When a MessageSendEvent expression is left empty but a message is defined, it now defaults to correlating all.
This provides a safer and more predictable default behavior.
Stop All Processes for a Case
It is now possible to terminate all running processes that are associated with a specific case. This can be achieved by configuring a BPMN ServiceTask expression:
${processService.deleteAllProcessInstancesForThisDocument(execution, "Test deletion process")}
Details
The expression stops all active process instances related to the current case/document.
A reason can be provided as a parameter (in the example above: "Test deletion process").
Once invoked, all processes for the case are stopped immediately.
Bugfixes
CallActivity Execution with StartEvent
Previously, when a BPMN process was modeled such that a CallActivity was triggered synchronously with the StartEvent, the process would fail during execution and result in an error.
This issue has now been resolved:
CallActivities can safely be modeled to start directly with the StartEvent.
Processes that use this pattern will now execute correctly without requiring workarounds.
Last updated