Uploaded image for project: 'jBPM'
  1. jBPM
  2. JBPM-5651

HumanTask: a user that is excluded by a task is able to enlist it among his potential owned tasks.

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: jBPM 6.4.0.Final, 7.0.0.Beta6
    • Fix Version/s: 7.5.0.Final
    • Component/s: Console, Workbench
    • Labels:
      None
    • Environment:

      Tested in JBoss BPMSuite 6.4.0.GA, JBoss EAP 7

    • Sprint:
      2017 Week 40-41-42
    • Security Sensitive Issue:
      This issue is security relevant
    • Steps to Reproduce:
      Hide

      1) Create a user "bpmsAdmin" with group "taskuser" in BPM Suite.
      1) Clone the project in BC
      2) Build and deploy the project.
      3) Start a process instance,
      4) Claim and complete the task with a user in the "taskusers" group
      5) With the same credential, open the task list, you'll get even the second task "Four Eyes Task". The same happens if you get query the tasks thru the REST APIs.

      Show
      1) Create a user "bpmsAdmin" with group "taskuser" in BPM Suite. 1) Clone the project in BC 2) Build and deploy the project. 3) Start a process instance, 4) Claim and complete the task with a user in the "taskusers" group 5) With the same credential, open the task list, you'll get even the second task "Four Eyes Task". The same happens if you get query the tasks thru the REST APIs.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Given the following project: https://github.com/DuncanDoyle/jbpm-four-eyes-process
      This process aims to implement a very simple "four-eyes-principle" process. It contains 2 human-tasks. The idea is that the actor that completed the first task is not allowed to work on the second task. This is implemented by having an output mapping on the first task that maps the "ActorId" on a process variable and an input mapping on the second task that maps that process variable onto the "ExcludedOwnerId".
      The user that perform the first task should not be able to see a task (as PotentialOwner), if the user is among the ExcludedOwner for that task.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  cristiano.nicolai Cristiano Nicolai
                  Reporter:
                  dmarrazzo Donato Marrazzo
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: