Added check to PUT task-instance REST API to ensure that the user claiming a task has the authority to do so i.e. they are a member of one of the pooled actor groups assigned to task.

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@21736 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

config/alfresco/web-scripts-application-context.xml

@@ -782,11 +782,12 @@
           class="org.alfresco.repo.web.scripts.workflow.AbstractWorkflowWebscript"
           parent="webscript" abstract="true">
         <property name="namespaceService" ref="NamespaceService" />
-        <property name="nodeService" ref="NodeService"/>
-        <property name="personService" ref="PersonService"/>
-        <property name="dictionaryService" ref="DictionaryService"/>
-        <property name="authenticationService" ref="AuthenticationService"/>
-        <property name="workflowService" ref="WorkflowService"/>
+        <property name="nodeService" ref="NodeService" />
+        <property name="personService" ref="PersonService" />
+        <property name="dictionaryService" ref="DictionaryService" />
+        <property name="authenticationService" ref="AuthenticationService" />
+        <property name="authorityService" ref="AuthorityService" />
+        <property name="workflowService" ref="WorkflowService" />
     </bean>
 
     <!-- Lists the task instances, filtered by task owner and state. -->

source/java/org/alfresco/repo/web/scripts/workflow/AbstractWorkflowWebscript.java

@@ -23,6 +23,7 @@ import java.util.Map;
 import org.alfresco.service.cmr.dictionary.DictionaryService;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.AuthorityService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.cmr.workflow.WorkflowService;
 import org.alfresco.service.namespace.NamespaceService;
@@ -43,6 +44,7 @@ public abstract class AbstractWorkflowWebscript extends DeclarativeWebScript
     protected PersonService personService;
     protected DictionaryService dictionaryService;
     protected AuthenticationService authenticationService;
+    protected AuthorityService authorityService;
     protected WorkflowService workflowService;
     
     @Override
@@ -77,6 +79,11 @@ public abstract class AbstractWorkflowWebscript extends DeclarativeWebScript
         this.authenticationService = authenticationService;
     }
     
+    public void setAuthorityService(AuthorityService authorityService)
+    {
+        this.authorityService = authorityService;
+    }
+    
     public void setWorkflowService(WorkflowService workflowService)
     {
         this.workflowService = workflowService;

source/java/org/alfresco/repo/web/scripts/workflow/TaskInstancePut.java

@@ -25,14 +25,17 @@ import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import javax.servlet.http.HttpServletResponse;
 
 import org.alfresco.model.ContentModel;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.workflow.WorkflowModel;
 import org.alfresco.service.cmr.dictionary.PropertyDefinition;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.datatype.DefaultTypeConverter;
+import org.alfresco.service.cmr.security.AuthorityType;
 import org.alfresco.service.cmr.workflow.WorkflowTask;
 import org.alfresco.service.namespace.QName;
 import org.json.JSONArray;
@@ -191,13 +194,27 @@ public class TaskInstancePut extends AbstractWorkflowWebscript
     {
         boolean result = false;
         
-        Collection<?> actors = (Collection<?>)task.getProperties().get(WorkflowModel.ASSOC_POOLED_ACTORS);
+        // get groups that the current user has to belong (at least one of them)
+        final Collection<?> actors = (Collection<?>)task.getProperties().get(WorkflowModel.ASSOC_POOLED_ACTORS);
         if (actors != null && !actors.isEmpty())
         {
-            // TODO: determine whether the user is in any of the groups, for now allow
-            //       pooled tasks to be updated.
+            for (Object actor : actors)
+            {
+                // retrieve the name of the group
+                Map<QName, Serializable> props = nodeService.getProperties((NodeRef)actor);
+                String name = (String)props.get(ContentModel.PROP_AUTHORITY_NAME);
                 
+                // retrieve the users of the group
+                Set<String> users = authorityService.getContainedAuthorities(AuthorityType.USER, name, true);
+                
+                // see if the user is one of the users in the group
+                if (users != null && !users.isEmpty() && users.contains(currentUser))
+                {
+                    // they are a member of the group so stop looking!
                     result = true;
+                    break;
+                }
+            }
         }
         
         return result;