Added check to PUT task-instance REST API to ensure that the user claiming a task has the authority to do so i.e. they are a member of one of the pooled actor groups assigned to task.

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@21736 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/repo/web/scripts/workflow/AbstractWorkflowWebscript.java

@@ -23,6 +23,7 @@ import java.util.Map;
 import org.alfresco.service.cmr.dictionary.DictionaryService;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.AuthorityService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.cmr.workflow.WorkflowService;
 import org.alfresco.service.namespace.NamespaceService;
@@ -43,6 +44,7 @@ public abstract class AbstractWorkflowWebscript extends DeclarativeWebScript
     protected PersonService personService;
     protected DictionaryService dictionaryService;
     protected AuthenticationService authenticationService;
+    protected AuthorityService authorityService;
     protected WorkflowService workflowService;
     
     @Override
@@ -77,6 +79,11 @@ public abstract class AbstractWorkflowWebscript extends DeclarativeWebScript
         this.authenticationService = authenticationService;
     }
     
+    public void setAuthorityService(AuthorityService authorityService)
+    {
+        this.authorityService = authorityService;
+    }
+    
     public void setWorkflowService(WorkflowService workflowService)
     {
         this.workflowService = workflowService;

source/java/org/alfresco/repo/web/scripts/workflow/TaskInstancePut.java

@@ -25,14 +25,17 @@ import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import javax.servlet.http.HttpServletResponse;
 
 import org.alfresco.model.ContentModel;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.workflow.WorkflowModel;
 import org.alfresco.service.cmr.dictionary.PropertyDefinition;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.datatype.DefaultTypeConverter;
+import org.alfresco.service.cmr.security.AuthorityType;
 import org.alfresco.service.cmr.workflow.WorkflowTask;
 import org.alfresco.service.namespace.QName;
 import org.json.JSONArray;
@@ -191,13 +194,27 @@ public class TaskInstancePut extends AbstractWorkflowWebscript
     {
         boolean result = false;
         
-        Collection<?> actors = (Collection<?>)task.getProperties().get(WorkflowModel.ASSOC_POOLED_ACTORS);
+        // get groups that the current user has to belong (at least one of them)
+        final Collection<?> actors = (Collection<?>)task.getProperties().get(WorkflowModel.ASSOC_POOLED_ACTORS);
         if (actors != null && !actors.isEmpty())
         {
-            // TODO: determine whether the user is in any of the groups, for now allow
-            //       pooled tasks to be updated.
-            
-            result = true;
+            for (Object actor : actors)
+            {
+                // retrieve the name of the group
+                Map<QName, Serializable> props = nodeService.getProperties((NodeRef)actor);
+                String name = (String)props.get(ContentModel.PROP_AUTHORITY_NAME);
+                
+                // retrieve the users of the group
+                Set<String> users = authorityService.getContainedAuthorities(AuthorityType.USER, name, true);
+                
+                // see if the user is one of the users in the group
+                if (users != null && !users.isEmpty() && users.contains(currentUser))
+                {
+                    // they are a member of the group so stop looking!
+                    result = true;
+                    break;
+                }
+            }
         }
         
         return result;