https://connect.hyland.com/t5/alfresco-archive/claim-task-security-issue/m-p/95422#M65458 <HTML><HEAD></HEAD><BODY><SPAN>Hi,</SPAN><BR /><SPAN> </SPAN><BR /><SPAN>I think that there is a security problem with claiming tasks. In other words, someone who is not candidate user for task can claim task, because Activiti doesn't check for </SPAN><BR /><SPAN>group that user belongs to.</SPAN><BR /><BR /><SPAN>See attached code (org.activiti.engine.impl.cmd.ClaimTaskCmd):</SPAN><BR /><BR /><BLOCKQUOTE class="jive-quote">public Void execute(CommandContext commandContext) {<BR />&nbsp;&nbsp;&nbsp; if(taskId == null) {<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; throw new ActivitiException("taskId is null");<BR />&nbsp;&nbsp;&nbsp; }<BR />&nbsp;&nbsp;&nbsp; <BR />&nbsp;&nbsp;&nbsp; TaskEntity task = Context<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .getCommandContext()<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .getTaskManager()<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .findTaskById(taskId);<BR />&nbsp;&nbsp;&nbsp; <BR />&nbsp;&nbsp;&nbsp; if (task == null) {<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; throw new ActivitiException("Cannot find task with id " + taskId);<BR />&nbsp;&nbsp;&nbsp; }<BR />&nbsp;&nbsp;&nbsp; if(userId != null) {<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (task.getAssignee() != null) {<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if(!task.getAssignee().equals(userId)) {<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // When the task is already claimed by another user, throw exception. Otherwise, ignore<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // this, post-conditions of method already met.<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; throw new ActivitiException("Task " + taskId + " is already claimed by someone else");<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; } else {<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; task.setAssignee(userId);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR />&nbsp;&nbsp;&nbsp; } else {<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // Task should be assigned to no one<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; task.setAssignee(null);<BR />&nbsp;&nbsp;&nbsp; }<BR /><BR />&nbsp;&nbsp;&nbsp; return null;<BR />&nbsp; }</BLOCKQUOTE><BR /><SPAN>My question is, should we do this check before claiming tasks, or this is issue that should be posted on jira?</SPAN><BR /><BR /><SPAN>Best regards,</SPAN><BR /><SPAN>Miljan Kosanin</SPAN><BR /><SPAN>Java developer</SPAN></BODY></HTML> Thu, 02 Feb 2012 16:05:42 GMT miljanmk 2012-02-02T16:05:42Z https://connect.hyland.com/t5/alfresco-archive/claim-task-security-issue/m-p/95422#M65458 Hi, I think that there is a security problem with claiming tasks. In other words, someone who is not candidate user for task can claim task, because Activiti doesn't check for group that user belongs to.See attached code (org.activiti.engine.impl.cmd.ClaimTaskCmd)<IMG id="smileytongue" class="emoticon emoticon-smileytongue" src="https://migration33.stage.lithium.com/i/smilies/16x16_smiley-tongue.png" alt="Smiley Tongue" title="Smiley Tongue" />ublic Void execute(CommandContext Thu, 02 Feb 2012 16:05:42 GMT https://connect.hyland.com/t5/alfresco-archive/claim-task-security-issue/m-p/95422#M65458 miljanmk 2012-02-02T16:05:42Z https://connect.hyland.com/t5/alfresco-archive/claim-task-security-issue/m-p/95423#M65459 <HTML><HEAD></HEAD><BODY><SPAN>It'sthe responsibility of the calling application to check this IF needed…</SPAN></BODY></HTML> Thu, 02 Feb 2012 19:07:33 GMT https://connect.hyland.com/t5/alfresco-archive/claim-task-security-issue/m-p/95423#M65459 ronald_van_kuij 2012-02-02T19:07:33Z