private void verifyCurrentUserIsAuthorized(Process process, Task task) throws ForbiddenError, BadRequestError { if (process == null) throw new BadRequestError(Constants.ExceptionCodes.process_does_not_exist); String taskId = task != null ? task.getTaskInstanceId() : null; Entity principal = identityHelper.getPrincipal(); if (principal == null || StringUtils.isEmpty(principal.getEntityId())) { LOG.error( "Forbidden: Unauthorized user or user with no userId (e.g. system user) attempting to create a request for task: " + taskId); throw new ForbiddenError(); } if (!principal.hasRole(process, AuthorizationRole.OVERSEER)) { if (task != null && !task.isCandidateOrAssignee(principal)) { LOG.warn( "Forbidden: Unauthorized principal " + principal.toString() + " attempting to access task " + taskId); throw new ForbiddenError(); } } }