Able to claim task with user not in candidate group


For my application, I have the following task,
<userTask id="usr_entry" name="Enter Details" flowable:candidateGroups="grp_mk" flowable:formKey="frm_cust_entry" flowable:formFieldValidation="true"></userTask>

And I have the following users in the IDM saved,
Group [ “grp_mk” ] --> containing [“maker_1”]
Group [ “grp_chk” ] --> containing [“checker_1”]

I use IDMIdentityService.createMembership(…) for incuding the user within the group.

Later on, I use,
processEngine.taskService.claim(, user)

But here, no matter what user I use, I am able to claim the task.
Shouldn’t it throw an error or something if the wrong user tries to claim the task ?

No, Flowable doesn’t do any checks on identity. The candidateGroups are metadata, e.g. to build a UI that shows tasks only for that particular group, but no check is actually done. If you need that, you’d need to add your own checks on top of calling the Flowable API.