Uploaded image for project: 'jBPM'
  1. jBPM
  2. JBPM-5610

HumanTask ExcludedOwner is able to claim, start and complete task

    Details

    • Steps to Reproduce:
      Hide

      1) Create a user "bpmsAdmin" with group "taskuser" in BPM Suite.
      1) Clone the project in BC
      2) Build and deploy the project.
      3) Start a process instance,
      4) Claim and complete the task with "bpmsAdmin" user.
      5) The second task should not be accessible by the same user. However, the task ends up in the user's inbox, and the user is able to work on the task (claim, complete, etc.).

      Show
      1) Create a user "bpmsAdmin" with group "taskuser" in BPM Suite. 1) Clone the project in BC 2) Build and deploy the project. 3) Start a process instance, 4) Claim and complete the task with "bpmsAdmin" user. 5) The second task should not be accessible by the same user. However, the task ends up in the user's inbox, and the user is able to work on the task (claim, complete, etc.).
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Given the following project: https://github.com/DuncanDoyle/jbpm-four-eyes-process

      This process aims to implement a very simple "four-eyes-principle" process. It contains 2 human-tasks. The idea is that the actor that completed the first task is not allowed to work on the second task. This is implemented by having an output mapping on the first task that maps the "ActorId" on a process variable and an input mapping on the second task that maps that process variable onto the "ExcludedOwnerId".

      I've debugged the PeopleAssignmentHelper, and the ExcludedOwner is correctly set on the PeopleAssignment of the task. I can see in the task MVELLifeCylceManager that when the claim command of the second task comes in, the PeopleAssignment indeed has the ExcludedOwner set to the actor that completed the first task. However, the same user is still able to claim, start and complete the task.

      It seems that the MVELLifeCycleManager.isAllowed(....) method does not take ExcludedOwners into account when it checks whether the user is allowed to execute a command/operation on the task.

      Second, the task also shows up the user's task-list in Business Central.

      IMO, a user that is in the ExcludedOwner list of a task should not be able to see these tasks, operate on these tasks, etc.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  swiderski.maciej Maciej Swiderski
                  Reporter:
                  McCloud Duncan Doyle
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: