Can I use candidateGroups to restrict user access to a task?

Hi, I’m just starting to use Flowable and working my way through the tutorials.

In the “Getting Started” example, a user task is created with candidateGroups set to “managers”.

<userTask id="approveTask" name="Approve or reject request" flowable:candidateGroups="managers"/>

However, when I create a new user which is not assigned to any group, I can still use that identity to perform the task of “approveTask” and set the “approved” variable to true.

I was expecting to get some kind of error message when I try to perform the “approveTask” with an identity which is not authorized for the “managers” group. Am I missing something? Or is there another property to control user access to a task?

@jli Have you found a solution to this issue? I am facing the same scenario and would like to see how you’ve handled yours. Thanks

In your code, check if the authenticated user is the assignee.