Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-342

HumanTask ExcludedOwner is able to claim, start and complete task

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.0.0.GA
    • 7.0.0.GA
    • jBPM Core
    • None

    • JBoss BPMSuite 6.4.0.GA, JBoss EAP 7

    • ER2
    • Hide

      1) Create a user "bpmsAdmin" with group "taskuser" in BPM Suite.
      1) Clone the project in BC
      2) Build and deploy the project.
      3) Start a process instance,
      4) Claim and complete the task with "bpmsAdmin" user.
      5) The second task should not be accessible by the same user. However, the task ends up in the user's inbox, and the user is able to work on the task (claim, complete, etc.).

      Show
      1) Create a user "bpmsAdmin" with group "taskuser" in BPM Suite. 1) Clone the project in BC 2) Build and deploy the project. 3) Start a process instance, 4) Claim and complete the task with "bpmsAdmin" user. 5) The second task should not be accessible by the same user. However, the task ends up in the user's inbox, and the user is able to work on the task (claim, complete, etc.).

      Given the following project: https://github.com/DuncanDoyle/jbpm-four-eyes-process

      This process aims to implement a very simple "four-eyes-principle" process. It contains 2 human-tasks. The idea is that the actor that completed the first task is not allowed to work on the second task. This is implemented by having an output mapping on the first task that maps the "ActorId" on a process variable and an input mapping on the second task that maps that process variable onto the "ExcludedOwnerId".

      I've debugged the PeopleAssignmentHelper, and the ExcludedOwner is correctly set on the PeopleAssignment of the task. I can see in the task MVELLifeCylceManager that when the claim command of the second task comes in, the PeopleAssignment indeed has the ExcludedOwner set to the actor that completed the first task. However, the same user is still able to claim, start and complete the task.

      It seems that the MVELLifeCycleManager.isAllowed(....) method does not take ExcludedOwners into account when it checks whether the user is allowed to execute a command/operation on the task.

      Second, the task also shows up the user's task-list in Business Central.

      IMO, a user that is in the ExcludedOwner list of a task should not be able to see these tasks, operate on these tasks, etc.

              swiderski.maciej Maciej Swiderski (Inactive)
              rhn-support-hmiura Hiroko Miura
              Marian Macik Marian Macik
              Marian Macik Marian Macik
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: