TSK-1029: Add test to trigger permission bug

rest/taskana-rest-spring/src/test/java/pro/taskana/RestHelper.java

@@ -48,6 +48,14 @@ public class RestHelper {
     return headers;
   }
 
+  public HttpHeaders getHeadersBusinessAdmin() {
+    HttpHeaders headers = new HttpHeaders();
+    // businessadmin:businessadmin
+    headers.add("Authorization", "Basic YnVzaW5lc3NhZG1pbjpidXNpbmVzc2FkbWlu");
+    headers.add("Content-Type", "application/hal+json");
+    return headers;
+  }
+
   /**
    * Return a REST template which is capable of dealing with responses in HAL format.
    *

rest/taskana-rest-spring/src/test/java/pro/taskana/rest/WorkbasketControllerIntTest.java

@@ -12,6 +12,7 @@ import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.ParameterizedTypeReference;
 import org.springframework.hateoas.Link;
+import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@@ -107,6 +108,26 @@ class WorkbasketControllerIntTest {
     assertNotNull(response.getBody().getLink(Link.REL_PREVIOUS));
   }
 
+  /**
+   * Bug Ticket TSK-1029
+   *
+   * <p>Businessadmin is allowed to delete any workbasket ticket without user related access
+   * restrictions
+   */
+  @Test
+  void testWorkbasketDeletePermission() {
+
+    String workbasketID = "WBI:100000000000000000000000000000000005";
+
+    ResponseEntity<?> response =
+        template.exchange(
+            restHelper.toUrl(Mapping.URL_WORKBASKET_ID, workbasketID),
+            HttpMethod.DELETE,
+            new HttpEntity<>(restHelper.getHeadersBusinessAdmin()),
+            Void.class);
+    assertEquals(HttpStatus.NO_CONTENT, response.getStatusCode());
+  }
+
   @Test
   void testRemoveWorkbasketAsDistributionTarget() {
     ResponseEntity<?> response =