-
Bug
-
Resolution: Done
-
Major
-
6.2.0
-
None
Update
Going by the stack trace shown in Gary's comment below, the issue is not related to task retrieval via group ids.
The stack trace below shows that the `ClaimTaskCommand` does not succeed because the user id does not have the rights to do that.
Based on other information in the bug, it seems that the client is trying to claim a task using another user ("A") than the REST client user ("B"), but that the REST client prevents this.
The fix here is to change the security check on both the client and server side so that the operations can be submitted using a different user id than the user id used by the REST client to log in to the Workbench.
Original bug
+++ This bug was initially created as a clone of Bug #1330200 +++
Description of problem:
I am trying to with below API's to list the HumanTask assigned to group through Remote REST API's but it fails with exception:
~~~
Unable to execute GetTaskAssignedAsPotentialOwnerCommand/0: org.kie.remote.services.rest.exception.KieRemoteRestOperationException: Organizational entity already exists with [UserImpl:'HR'] id, please check that there is no group and user with same id
~~~
Code:
=====================
RuntimeEngine engine = RemoteRuntimeEngineFactory.newRestBuilder()
.addUrl(url).addUserName(userName).addPassword(passWord)
.addDeploymentId(deploymentId).build();
KieSession ksession = engine.getKieSession();
TaskService taskService = engine.getTaskService();
ProcessInstance processInstance = ksession.startProcess("project1.TestProcess");
tasklist = taskService.getTasksAssignedAsPotentialOwner("HR","en-UK");
=====================
Version-Release number of selected component (if applicable):
BPMS 6.2.2
How reproducible:
Steps to Reproduce:
1. Start server(BPMS 6.2.2) with -Dorg.kie.task.insecure=true and deploy attached kajr.
2. Apply one-off patch attached to BZ-1325945 and use -Dorg.kie.task.insecure=true option in client side and server side.
3. Try to list task using Remote REST API
Actual results:
Not able to list User Task assigned to group through Remote REST API
Expected results:
User should be able to list task assigned to group through Remote REST API
Additional info:
— Additional comment from JBoss Product and Program Management on 2016-04-25 11:30:08 EDT —
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
— Additional comment from William Antônio on 2016-04-28 00:09 EDT —
An workaround for this bug.
— Additional comment from William Antônio on 2016-04-28 00:10:08 EDT —
I made a few tests and I found that this is indeed a bug, but not a bug with the client side patch, but with the task.insecure parameter implementation and with the core of the remote rest client API itself. The client patch only exposed this bug by allowing us to send requests to retrieve potential owners for a group, before it it was not allowed.
The good news is that I have a work around! The client java API will always send a command to the server, the command used to get tasks by owner is the GetTaskAssignedAsPotentialOwnerCommand. The issue is that it uses the user id to set the potential owner when we should be using the target entity id. So the following should work to retrieve the tasks for a group (see the attached test class)
- is blocked by
-
RHBPMS-1904 Restrict insecure Remote task operations (not only limited to GetTask* commands)
- Verified
-
RHBPMS-4179 getTasksAssignedAsPotentialOwner doesn't allow groups searching, only actorid
- Verified
-
RHBPMS-4184 [GSS] (6.3.z) getTasksAssignedAsPotentialOwner doesn't allow groups searching, only actorid
- Verified