Able to claim task with user not in candidate group

prasanthr · September 22, 2020, 7:38am

Hi,

For my application, I have the following task,
<userTask id="usr_entry" name="Enter Details" flowable:candidateGroups="grp_mk" flowable:formKey="frm_cust_entry" flowable:formFieldValidation="true"></userTask>

And I have the following users in the IDM saved,
Group [ “grp_mk” ] --> containing [“maker_1”]
Group [ “grp_chk” ] --> containing [“checker_1”]

I use IDMIdentityService.createMembership(…) for incuding the user within the group.

Later on, I use,
processEngine.taskService.claim(taskId.id, user)

But here, no matter what user I use, I am able to claim the task.
Shouldn’t it throw an error or something if the wrong user tries to claim the task ?

joram · September 22, 2020, 10:21pm

No, Flowable doesn’t do any checks on identity. The candidateGroups are metadata, e.g. to build a UI that shows tasks only for that particular group, but no check is actually done. If you need that, you’d need to add your own checks on top of calling the Flowable API.

Topic		Replies	Views
REST API /runtime/tasks not working with candidateUser? Flowable Engine	9	1559	February 14, 2020
Flowable user authorization on tasks Flowable Engine	1	361	October 2, 2019
Flowable Authorization Flowable Engine	1	606	April 23, 2019
Flowable Keycloak all usersare added to all groups BUG Flowable Engine	4	749	January 18, 2023
Custom Users and Groups in Flowable Flowable Engine	1	1420	October 18, 2018

Able to claim task with user not in candidate group

Related Topics