Description
While having the instance domain separated, when logging in or impersonating a user, the business rules form all different domains are being executed, instead of only from the user's domain.
The problem is caused because the method getUserByID(String id, boolean ignoreDomain) is invoked by the impersonation code with the ignoreDomain flag as 'true'. So, when we query the sys_user table, we end up querying the table with domain separation disabled and run all the BRs from all the domains. This is a problem when a table is queried with separation disabled.
Steps to Reproduce
1) Install domain separation plugin
In order to have the required users in the Impersonate user pop up,
While in ACME domain, Impersonate ACME employee
While in Initech domain, impersonate Initech ITIL
2) Go to cisco domain
3) Create a before query business rule (within cisco domain) with the following script:
var MyComp = gs.getUser().getCompanyID();
if (!gs.hasRole("itil")) {
current.addQuery("active", "true");
current.addQuery("company", MyComp);
}
4) Activate business rule debug
5) Impersonate ACME employee
6) Try to impersonate Initech ITIL
==> Note that the cisco business rule runs and prevents you from impersonating employee from other company
Workaround
We have to ignore domains while impersonating. Otherwise, users cannot impersonate across different domains. In general, it's problematic to have before query BRs on sys_user table configured in different domains. For these special cases, it is recommended to put the logic in the global BR and use the script to make any domain specific decisions.
Related Problem: PRB624243