AnsweredAssumed Answered

Claim task security issue

Question asked by miljanmk on Feb 2, 2012
Latest reply on Feb 2, 2012 by ronald.van.kuijk
Hi,

I think that there is a security problem with claiming tasks. In other words, someone who is not candidate user for task can claim task, because Activiti doesn't check for
group that user belongs to.

See attached code (org.activiti.engine.impl.cmd.ClaimTaskCmd):

public Void execute(CommandContext commandContext) {
    if(taskId == null) {
      throw new ActivitiException("taskId is null");
    }
   
    TaskEntity task = Context
      .getCommandContext()
      .getTaskManager()
      .findTaskById(taskId);
   
    if (task == null) {
      throw new ActivitiException("Cannot find task with id " + taskId);
    }
    if(userId != null) {
      if (task.getAssignee() != null) {
        if(!task.getAssignee().equals(userId)) {
          // When the task is already claimed by another user, throw exception. Otherwise, ignore
          // this, post-conditions of method already met.
          throw new ActivitiException("Task " + taskId + " is already claimed by someone else");
        }
      } else {
        task.setAssignee(userId);
      }     
    } else {
      // Task should be assigned to no one
      task.setAssignee(null);
    }

    return null;
  }

My question is, should we do this check before claiming tasks, or this is issue that should be posted on jira?

Best regards,
Miljan Kosanin
Java developer

Outcomes