protected Submission.Builder submissionBuilder(
      ProcessInstance instance,
      SubmissionTemplate template,
      Entity principal,
      Submission rawSubmission) {
    String principalId = principal != null ? principal.getEntityId() : "anonymous";

    String submitterId = principalId;
    if (principal != null
        && principal.getEntityType() == Entity.EntityType.SYSTEM
        && StringUtils.isNotEmpty(template.getActAsUser())) submitterId = template.getActAsUser();
    else if (rawSubmission != null && StringUtils.isNotEmpty(rawSubmission.getSubmitterId()))
      submitterId = sanitizer.sanitize(rawSubmission.getSubmitterId());

    Submission.Builder submissionBuilder;

    if (rawSubmission != null)
      submissionBuilder = new Submission.Builder(rawSubmission, sanitizer, true);
    else
      submissionBuilder =
          new Submission.Builder()
              .actionType(instance == null ? ActionType.COMPLETE : ActionType.SAVE);

    submissionBuilder
        .processDefinitionKey(template.getProcess().getProcessDefinitionKey())
        .requestId(template.getRequestId())
        .taskId(template.getTaskId())
        .submissionDate(new Date())
        .submitter(identityService.getUser(submitterId));

    return submissionBuilder;
  }
예제 #2
0
  private void verifyCurrentUserIsAuthorized(Process process, Task task)
      throws ForbiddenError, BadRequestError {
    if (process == null) throw new BadRequestError(Constants.ExceptionCodes.process_does_not_exist);

    String taskId = task != null ? task.getTaskInstanceId() : null;

    Entity principal = identityHelper.getPrincipal();
    if (principal == null || StringUtils.isEmpty(principal.getEntityId())) {
      LOG.error(
          "Forbidden: Unauthorized user or user with no userId (e.g. system user) attempting to create a request for task: "
              + taskId);
      throw new ForbiddenError();
    }

    if (!principal.hasRole(process, AuthorizationRole.OVERSEER)) {
      if (task != null && !task.isCandidateOrAssignee(principal)) {
        LOG.warn(
            "Forbidden: Unauthorized principal "
                + principal.toString()
                + " attempting to access task "
                + taskId);
        throw new ForbiddenError();
      }
    }
  }