Can I use candidateGroups to restrict user access to a task?

jli · April 2, 2018, 3:34pm

Hi, I’m just starting to use Flowable and working my way through the tutorials.

In the “Getting Started” example, a user task is created with candidateGroups set to “managers”.

<userTask id="approveTask" name="Approve or reject request" flowable:candidateGroups="managers"/>

However, when I create a new user which is not assigned to any group, I can still use that identity to perform the task of “approveTask” and set the “approved” variable to true.

I was expecting to get some kind of error message when I try to perform the “approveTask” with an identity which is not authorized for the “managers” group. Am I missing something? Or is there another property to control user access to a task?

khcung · November 26, 2019, 2:38pm

@jli Have you found a solution to this issue? I am facing the same scenario and would like to see how you’ve handled yours. Thanks

tjmac · November 27, 2019, 1:27pm

In your code, check if the authenticated user is the assignee.

Topic		Replies	Views
Create Task and assign to CandidateGroup Flowable Engine	2	2010	January 9, 2018
Assign task to group & getting task assigned to group and user specific Flowable Engine	1	2682	December 29, 2017
Flowable permissions Flowable Engine	2	885	January 31, 2018
Querying candidate users / groups from TaskService Flowable Engine	0	762	January 17, 2020
Modifying User Task by code Flowable Engine	3	1042	February 12, 2020

Can I use candidateGroups to restrict user access to a task?

Related Topics