Able to claim task with user not in candidate group

prasanthr · September 22, 2020, 7:38am

Hi,

For my application, I have the following task,
<userTask id="usr_entry" name="Enter Details" flowable:candidateGroups="grp_mk" flowable:formKey="frm_cust_entry" flowable:formFieldValidation="true"></userTask>

And I have the following users in the IDM saved,
Group [ “grp_mk” ] --> containing [“maker_1”]
Group [ “grp_chk” ] --> containing [“checker_1”]

I use IDMIdentityService.createMembership(…) for incuding the user within the group.

Later on, I use,
processEngine.taskService.claim(taskId.id, user)

But here, no matter what user I use, I am able to claim the task.
Shouldn’t it throw an error or something if the wrong user tries to claim the task ?

joram · September 22, 2020, 10:21pm

No, Flowable doesn’t do any checks on identity. The candidateGroups are metadata, e.g. to build a UI that shows tasks only for that particular group, but no check is actually done. If you need that, you’d need to add your own checks on top of calling the Flowable API.

Topic		Replies	Views
How to retrieve a task candidate groups Flowable Engine	4	5248	August 25, 2017
Using claim with assignee type of assignment Flowable Engine	10	1587	September 9, 2019
REST API /runtime/tasks not working with candidateUser? Flowable Engine	9	1686	February 14, 2020
Can I use candidateGroups to restrict user access to a task? Flowable Engine	2	554	November 27, 2019
Complete task without claiming in Task App? Flowable Application	2	704	September 12, 2017

Able to claim task with user not in candidate group

Related topics