Exemplo n.º 1
0
  private void verifyCurrentUserIsAuthorized(Process process, Task task)
      throws ForbiddenError, BadRequestError {
    if (process == null) throw new BadRequestError(Constants.ExceptionCodes.process_does_not_exist);

    String taskId = task != null ? task.getTaskInstanceId() : null;

    Entity principal = identityHelper.getPrincipal();
    if (principal == null || StringUtils.isEmpty(principal.getEntityId())) {
      LOG.error(
          "Forbidden: Unauthorized user or user with no userId (e.g. system user) attempting to create a request for task: "
              + taskId);
      throw new ForbiddenError();
    }

    if (!principal.hasRole(process, AuthorizationRole.OVERSEER)) {
      if (task != null && !task.isCandidateOrAssignee(principal)) {
        LOG.warn(
            "Forbidden: Unauthorized principal "
                + principal.toString()
                + " attempting to access task "
                + taskId);
        throw new ForbiddenError();
      }
    }
  }