Can I use candidateGroups to restrict user access to a task?

jli · April 2, 2018, 3:34pm

Hi, I’m just starting to use Flowable and working my way through the tutorials.

In the “Getting Started” example, a user task is created with candidateGroups set to “managers”.

<userTask id="approveTask" name="Approve or reject request" flowable:candidateGroups="managers"/>

However, when I create a new user which is not assigned to any group, I can still use that identity to perform the task of “approveTask” and set the “approved” variable to true.

I was expecting to get some kind of error message when I try to perform the “approveTask” with an identity which is not authorized for the “managers” group. Am I missing something? Or is there another property to control user access to a task?

khcung · November 26, 2019, 2:38pm

@jli Have you found a solution to this issue? I am facing the same scenario and would like to see how you’ve handled yours. Thanks

tjmac · November 27, 2019, 1:27pm

In your code, check if the authenticated user is the assignee.

Topic		Replies	Views
Create Task and assign to CandidateGroup Flowable Engine	2	2154	January 9, 2018
Assign task to group & getting task assigned to group and user specific Flowable Engine	1	2830	December 29, 2017
Flowable permissions Flowable Engine	2	949	January 31, 2018
Flowable user authorization on tasks Flowable Engine	1	394	October 2, 2019
How to retrieve a task candidate groups Flowable Engine	4	5202	August 25, 2017

Can I use candidateGroups to restrict user access to a task?

Related topics