Merged HEAD-BUG-FIX (5.1/Cloud) to HEAD (5.1/Cloud)

97453: Merged 5.0.N (5.0.2) to HEAD-BUG-FIX (5.1/Cloud) 97429: Merged V4.2-BUG-FIX (4.2.5) to 5.0.N (5.0.2) 97330: Merged DEV to V4.2-BUG-FIX (4.2.5) 97261 : MNT-13276 : 403 Forbidden exceptions with "pooled" workflows for Activiti REST API if user (a member of the task assigned group) is not in the administrators group - Added check for a member of the task assigned group - Added test git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@97629 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-14 17:58:59 +00:00 · 2015-02-20 15:04:35 +00:00
parent 05ad9c59e4
commit 3307a0a2e4
2 changed files with 122 additions and 2 deletions
--- a/source/java/org/alfresco/rest/workflow/api/impl/TasksImpl.java
+++ b/source/java/org/alfresco/rest/workflow/api/impl/TasksImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2014 Alfresco Software Limited.
+ * Copyright (C) 2005-2015 Alfresco Software Limited.
 *
 * This file is part of Alfresco
 *
@@ -778,6 +778,16 @@ public class TasksImpl extends WorkflowRestImpl implements Tasks
                        authorized = true;
                        break;
                    }
+                    // MNT-13276
+                    if ((taskInstance.getAssignee() == null) && (link.getGroupId() != null) && link.getType().equals(IdentityLinkType.CANDIDATE))
+                    {
+                        Set<String> userGroups = authorityService.getAuthoritiesForUser(user);
+                        if (userGroups.contains(link.getGroupId()))
+                        {
+                            authorized = true;
+                            break;
+                        }
+                    }
                    if (taskAction == TaskStateTransition.CLAIMED && link.getGroupId() != null && link.getType().equals(IdentityLinkType.CANDIDATE)) 
                    {
                        candidateGroups.add(link.getGroupId());