-
Bug Report
-
Resolution: Cannot Reproduce
-
L3 - Default
-
None
-
7.12.0
-
None
-
Windows 1024h
I am using Camunda Spring boot community edition 7.12
In a workflow process when I assign a human task to a Candidate Group only people in that Candidate Group should be able to claim and complete the task.
I tried two different ways to test this but it does not work.
I have camunda:
bpm:
authorization:
enabled: true
in my application.yml and also explicitely set using Defaults.INSTANCE.setAuthorizationEnabled(true); in my code.
(1) From user administration created custom Candidate Groups and assign them to users and them mapped Human tasks. Then I try to claim and complete tasks.
(2) Create a Beare token Authentication provider which reads a JWT token from out authentication server and based on what is in the token it sets the groups (Candidate Groups) to the user using AuthenticationResults.setGroups() method.
Irrespective of what way I follow, anybody can claim anything and complete anything. No access control is enforced. This is a key requirement in any workflow application.
If I am doing anything wrong, please let me know how to make this work? If this is not working, please give us a quick fix because this is a critical functionality.