Uploaded image for project: 'JBoss BPMS Platform'
  1. JBoss BPMS Platform
  2. RHBPMS-4755

[GSS]6.4.x HumanTask ExcludedOwner is able to claim, start and complete task

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 6.4.5
    • 6.4.0, 6.4.2
    • jBPM Core

    • JBoss BPMSuite 6.4.0.GA, JBoss EAP 7

    • CR2
    • Hide

      1) Create a user "bpmsAdmin" with group "taskuser" in BPM Suite.
      1) Clone the project in BC
      2) Build and deploy the project.
      3) Start a process instance,
      4) Claim and complete the task with "bpmsAdmin" user.
      5) The second task should not be accessible by the same user. However, the task ends up in the user's inbox, and the user is able to work on the task (claim, complete, etc.).

      Show
      1) Create a user "bpmsAdmin" with group "taskuser" in BPM Suite. 1) Clone the project in BC 2) Build and deploy the project. 3) Start a process instance, 4) Claim and complete the task with "bpmsAdmin" user. 5) The second task should not be accessible by the same user. However, the task ends up in the user's inbox, and the user is able to work on the task (claim, complete, etc.).
    • 2017 Week 22-23, 2017 Week 24-25, 2017 Week 26-27

    Description

      Given the following project: https://github.com/DuncanDoyle/jbpm-four-eyes-process

      This process aims to implement a very simple "four-eyes-principle" process. It contains 2 human-tasks. The idea is that the actor that completed the first task is not allowed to work on the second task. This is implemented by having an output mapping on the first task that maps the "ActorId" on a process variable and an input mapping on the second task that maps that process variable onto the "ExcludedOwnerId".

      I've debugged the PeopleAssignmentHelper, and the ExcludedOwner is correctly set on the PeopleAssignment of the task. I can see in the task MVELLifeCylceManager that when the claim command of the second task comes in, the PeopleAssignment indeed has the ExcludedOwner set to the actor that completed the first task. However, the same user is still able to claim, start and complete the task.

      It seems that the MVELLifeCycleManager.isAllowed(....) method does not take ExcludedOwners into account when it checks whether the user is allowed to execute a command/operation on the task.

      Second, the task also shows up the user's task-list in Business Central.

      IMO, a user that is in the ExcludedOwner list of a task should not be able to see these tasks, operate on these tasks, etc.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBPM-5610 HumanTask ExcludedOwner is able to claim, start and complete task

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              rhn-support-tsurdilo Tihomir Surdilovic (Inactive)
              rhn-support-hmiura Hiroko Miura
              Marian Macik Marian Macik
              Marian Macik Marian Macik
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: