private void verifyCurrentUserIsAuthorized(Process process, Task task)
throws ForbiddenError, BadRequestError {
if (process == null) throw new BadRequestError(Constants.ExceptionCodes.process_does_not_exist);
String taskId = task != null ? task.getTaskInstanceId() : null;
Entity principal = identityHelper.getPrincipal();
if (principal == null || StringUtils.isEmpty(principal.getEntityId())) {
LOG.error(
"Forbidden: Unauthorized user or user with no userId (e.g. system user) attempting to create a request for task: "
+ taskId);
throw new ForbiddenError();
}
if (!principal.hasRole(process, AuthorizationRole.OVERSEER)) {
if (task != null && !task.isCandidateOrAssignee(principal)) {
LOG.warn(
"Forbidden: Unauthorized principal "
+ principal.toString()
+ " attempting to access task "
+ taskId);
throw new ForbiddenError();
}
}
}
/*
* Helper methods
*/
public static Activity activity(Process process, ProcessInstance instance, Task task)
throws StatusCodeError {
Activity activity = null;
if (process.isAllowPerInstanceActivities()
&& task != null
&& task.getTaskDefinitionKey() != null
&& instance != null) {
Map<String, Activity> activityMap = instance.getActivityMap();
if (activityMap != null) activity = activityMap.get(task.getTaskDefinitionKey());
if (activity != null) return activity;
}
ProcessDeployment deployment = process.getDeployment();
if (deployment == null)
throw new InternalServerError(Constants.ExceptionCodes.process_is_misconfigured);
String activityKey = deployment.getStartActivityKey();
if (task != null) activityKey = task.getTaskDefinitionKey();
if (activityKey != null) activity = deployment.getActivity(activityKey);
if (activity != null) return activity;
throw new InternalServerError(Constants.ExceptionCodes.process_is_misconfigured);
}
public FormRequest create(
RequestDetails requestDetails,
Process process,
ProcessInstance processInstance,
Task task,
ActionType actionType,
FormValidation validation)
throws StatusCodeError {
Activity activity = activity(process, processInstance, task);
// Don't allow anyone to issue a create request for a task that's not open
if (actionType == ActionType.CREATE
&& task != null
&& task.getTaskStatus() != null
&& !task.getTaskStatus().equals(Constants.TaskStatuses.OPEN)) actionType = ActionType.VIEW;
FormRequest.Builder formRequestBuilder =
new FormRequest.Builder()
.processDefinitionKey(process.getProcessDefinitionKey())
.instance(processInstance)
.task(task)
.activity(activity)
.action(actionType);
if (requestDetails != null) {
String contentType =
requestDetails.getContentType() != null
? requestDetails.getContentType().toString()
: null;
formRequestBuilder
.remoteAddr(requestDetails.getRemoteAddr())
.remoteHost(requestDetails.getRemoteHost())
.remotePort(requestDetails.getRemotePort())
.remoteUser(requestDetails.getRemoteUser())
.actAsUser(requestDetails.getActAsUser())
.certificateIssuer(requestDetails.getCertificateIssuer())
.certificateSubject(requestDetails.getCertificateSubject())
.contentType(contentType)
.referrer(requestDetails.getReferrer())
.userAgent(requestDetails.getUserAgent());
List<MediaType> acceptableMediaTypes = requestDetails.getAcceptableMediaTypes();
if (acceptableMediaTypes != null) {
for (MediaType acceptableMediaType : acceptableMediaTypes) {
formRequestBuilder.acceptableMediaType(acceptableMediaType.toString());
}
}
}
if (validation != null) {
formRequestBuilder.messages(validation.getResults());
}
return requestRepository.save(formRequestBuilder.build());
}