Description of problem:
Any authenticated user can see tasks which doesn't own vua remote REST API

For instance, in my test case, user task is created with group "admin".

If user authenticated for remote REST API as user "jbpmuser" who has "admin" role,
i.e.
restSessionFactory = new RemoteRestRuntimeEngineFactory(
"com.samplerj01:1.0", new URL(
"http://localhost:8080/business-central/"),
"bpmsuser", "bpmuser");

all of the following method returns expected task list.

getTasksOwned("bpmsuser","en-UK")
getTasksAssignedAsPotentialOwner("bpmsuser", "en-UK");
getTasksAssignedAsPotentialOwnerByStatus("bpmsuser",status, "en-UK")

But, user authenticated for remote REST API as user "guest" who doesn't have "admin" role,
i.e.
restSessionFactory = new RemoteRestRuntimeEngineFactory(
"com.samplerj01:1.0", new URL(
"http://localhost:8080/business-central/"),
"guest", "quest");

Authentication succeeded and both of getTasksAssignedAsPotentialOwner() and getTasksAssignedAsPotentialOwnerByStatus() returns no task (as expected)
but getTasksOwned() for another user returns list of tasks.

Version-Release number of selected component (if applicable):
BPM Suite 6.1.0

How reproducible:
Deploy a Process including user task and then search tasks using Rest API

Steps to Reproduce:
1. create 2 users, one is user(e.g. bpmsuser) who has admin role and the other one(e.g. guest) does not have admin role
2. on Business-Central, create business process including user task which is assigned to group(e.g. admin) and deploy it
3. login Business Central as admin user(bpmsuser) and then start some instances and claim and complete some of user tasks.
4. run REST API which authenticate as non-admin user to get list of tasks

Actual results:
getTasksOwned() returns list of tasks even if user doesn't own the tasks and is not member of group which is assigned to user task.

Expected results:
no the other user's tasks get returned if user doesn't have appropriate role

Additional info:
This may duplicate of bug 1227897.

— Additional comment from JBoss Product and Program Management on 2015-06-08 04:40:07 EDT —

Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

— Additional comment from Hiroko Miura on 2015-06-08 21:48:26 EDT —

This is the first time to open bug for me, so this bug report might be poor.
Please let me know if you need further information/clarification.

I cound not find valid workaround for this issue and this would be security issue. So if there is any workaround, please let me know.

— Additional comment from Alessandro Lazarotti on 2015-06-11 16:29:26 EDT —

Hi Hiriko,
If you/customer want to receive a fix for this in a next cumulative patch you need to create two BZs, one targeting 6.2.0 and another BZ targeting bpms-rollup-2-6.1.x.

See this document please:
https://mojo.redhat.com/docs/DOC-1005271 (Cumulative Patch (Update Release))