inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-14 17:58:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged HEAD-BUG-FIX (5.1/Cloud) to HEAD (5.0/Cloud)

Browse Source 
85943: Merged V4.2-BUG-FIX (4.2.4) to HEAD-BUG-FIX (5.0/Cloud)
      85883: Merged DEV to V4.2-BUG-FIX (4.2.4)
         85645 : MNT-12382 : No access to process items of (unclaimed) pooled group task via Activiti REST API if user being member of assigned candidate group is not in administrators group
            - Add unit test
         85718 : MNT-12382 : No access to process items of (unclaimed) pooled group task via Activiti REST API if user being member of assigned candidate group is not in administrators group
            - Add check for unclaimed process
            - Add unit test
         85771 : MNT-12382 : No access to process items of (unclaimed) pooled group task via Activiti REST API if user being member of assigned candidate group is not in administrators group
            - Added check for membership in the assigned group for unclaimed pooled workflow


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@94521 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alan Davis
2015-01-31 09:35:20 +00:00
parent dcb6c94e32
commit cee8cc5346
2 changed files with 142 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
source/java/org/alfresco/rest/workflow/api/impl/WorkflowRestImpl.java
View File

@@ -17,6 +17,7 @@ import org.activiti.engine.ProcessEngine;
import org.activiti.engine.history.HistoricTaskInstance;
import org.activiti.engine.history.HistoricTaskInstanceQuery;
import org.activiti.engine.history.HistoricVariableInstance;
import org.activiti.engine.task.Task;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.dictionary.constraint.ListOfValuesConstraint;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
@@ -50,6 +51,7 @@ import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.AuthorityType;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
import org.apache.commons.beanutils.ConversionException;
@@ -493,13 +495,26 @@ public class WorkflowRestImpl
return variableInstances;
}
if (authorityService.isAdminAuthority(AuthenticationUtil.getRunAsUser()))
String username = AuthenticationUtil.getRunAsUser();
if (authorityService.isAdminAuthority(username))
{
// Admin is allowed to read all processes in the current tenant
return variableInstances;
}
else
{
// MNT-12382 check for membership in the assigned group
ActivitiScriptNode group = (ActivitiScriptNode) variableMap.get("bpm_groupAssignee");
if (group != null)
{
// check that the process is unclaimed
Task task = activitiProcessEngine.getTaskService().createTaskQuery().processInstanceId(processId).singleResult();
if ((task != null) && (task.getAssignee() == null) && isUserInGroup(username, group.getNodeRef()))
{
return variableInstances;
}
}
// If non-admin user, involvement in the task is required (either owner, assignee or externally involved).
HistoricTaskInstanceQuery query = activitiProcessEngine.getHistoryService()
.createHistoricTaskInstanceQuery()
@@ -550,4 +565,16 @@ public class WorkflowRestImpl
{
this.activitiWorkflowEngine = activitiWorkflowEngine;
}
private boolean isUserInGroup(String username, NodeRef group)
{
// Get the group name
String groupName = (String) nodeService.getProperty(group, ContentModel.PROP_AUTHORITY_NAME);
// Get all group members
Set<String> groupMembers = authorityService.getContainedAuthorities(AuthorityType.USER, groupName, false);
// Check if the user is a group member.
return (groupMembers != null) && groupMembers.contains(username);
}
}