https://connect.hyland.com/t5/alfresco-archive/claim-task-security-issue/m-p/95423#M65459 <HTML><HEAD></HEAD><BODY><SPAN>It'sthe responsibility of the calling application to check this IF needed…</SPAN></BODY></HTML> Thu, 02 Feb 2012 19:07:33 GMT ronald_van_kuij 2012-02-02T19:07:33Z https://connect.hyland.com/t5/alfresco-archive/claim-task-security-issue/m-p/95422#M65458 Hi, I think that there is a security problem with claiming tasks. In other words, someone who is not candidate user for task can claim task, because Activiti doesn't check for group that user belongs to.See attached code (org.activiti.engine.impl.cmd.ClaimTaskCmd)<IMG id="smileytongue" class="emoticon emoticon-smileytongue" src="https://migration33.stage.lithium.com/i/smilies/16x16_smiley-tongue.png" alt="Smiley Tongue" title="Smiley Tongue" />ublic Void execute(CommandContext Thu, 02 Feb 2012 16:05:42 GMT https://connect.hyland.com/t5/alfresco-archive/claim-task-security-issue/m-p/95422#M65458 miljanmk 2012-02-02T16:05:42Z https://connect.hyland.com/t5/alfresco-archive/claim-task-security-issue/m-p/95423#M65459 <HTML><HEAD></HEAD><BODY><SPAN>It'sthe responsibility of the calling application to check this IF needed…</SPAN></BODY></HTML> Thu, 02 Feb 2012 19:07:33 GMT https://connect.hyland.com/t5/alfresco-archive/claim-task-security-issue/m-p/95423#M65459 ronald_van_kuij 2012-02-02T19:07:33Z