protected Submission.Builder submissionBuilder( ProcessInstance instance, SubmissionTemplate template, Entity principal, Submission rawSubmission) { String principalId = principal != null ? principal.getEntityId() : "anonymous"; String submitterId = principalId; if (principal != null && principal.getEntityType() == Entity.EntityType.SYSTEM && StringUtils.isNotEmpty(template.getActAsUser())) submitterId = template.getActAsUser(); else if (rawSubmission != null && StringUtils.isNotEmpty(rawSubmission.getSubmitterId())) submitterId = sanitizer.sanitize(rawSubmission.getSubmitterId()); Submission.Builder submissionBuilder; if (rawSubmission != null) submissionBuilder = new Submission.Builder(rawSubmission, sanitizer, true); else submissionBuilder = new Submission.Builder() .actionType(instance == null ? ActionType.COMPLETE : ActionType.SAVE); submissionBuilder .processDefinitionKey(template.getProcess().getProcessDefinitionKey()) .requestId(template.getRequestId()) .taskId(template.getTaskId()) .submissionDate(new Date()) .submitter(identityService.getUser(submitterId)); return submissionBuilder; }
private void verifyCurrentUserIsAuthorized(Process process, Task task) throws ForbiddenError, BadRequestError { if (process == null) throw new BadRequestError(Constants.ExceptionCodes.process_does_not_exist); String taskId = task != null ? task.getTaskInstanceId() : null; Entity principal = identityHelper.getPrincipal(); if (principal == null || StringUtils.isEmpty(principal.getEntityId())) { LOG.error( "Forbidden: Unauthorized user or user with no userId (e.g. system user) attempting to create a request for task: " + taskId); throw new ForbiddenError(); } if (!principal.hasRole(process, AuthorizationRole.OVERSEER)) { if (task != null && !task.isCandidateOrAssignee(principal)) { LOG.warn( "Forbidden: Unauthorized principal " + principal.toString() + " attempting to access task " + taskId); throw new ForbiddenError(); } } }