Hyland Connect

tobix10 · ‎09-02-2013

Hello, when I try to get details of a task from account which is not an owner one I receive exception: <blockquote>org.alfresco.repo.security.permissions.AccessDeniedException: Accessing task with id='activiti$12495' is not allowed for user 'username'.</blockquote>

From admin console I gave all permissions to the associated workflow document to that user and even all permissions to the package folder, but nothing change. How to do this right?

My goal is to give read only access to all tasks where some user was chosen as Observer(there is special field on form).
I've tried to set permissions on bpm_package in org.alfresco.repo.workflow.activiti.tasklistener.ScriptTaskListener call after completion of task, but I got error that 'observers' is not defined(this is an aspect set to the task, this aspect is an association to cm

erson). My code:

for (i=0; i < observers.size(); i++) {
     bpm_package.setPermission("Collaborator", observers.get(i).properties["cm:userName"]);
}
runas admin‍‍‍‍

How to get this aspect/association in script?

Any suggestions how to give access to tasks to users that are not initiator or owner?

Activiti engine
Alfresco 4.2d

afaust · ‎09-07-2013

Hello,

you can't assign permissions on tasks. If you want to modify the way the workflow service limits the view on tasks you need to provide an alternative implementation for bean "WorkflowService_security" (introduced in Alfresco 4.1.5 / 4.2d). This interceptor is responsible for managing access to workflows and tasks. Unfortunately, any change will have to involve Java coding and be universal in nature (affecting all kinds of workflows / tasks).

Regards
Axel

lyles · ‎10-24-2013

Is it possible to easily disable this workflow service security so that access to the workflow details behaves the way that it did in 4.2.c?

I'm testing a custom workflow in Alfresco 4.2.e. The workflow has several review tasks and I have discovered that participants in the workflow can now only see their own task and the start task. This is not acceptable, as participants must be able to see the comments from all previous tasks.

This seems like a bug.

EDIT:
I'll answer my own question.
The workflow service security can be easily disabled by modifying:
alfresco/WEB-INF/classes/alfresco/public-services-security-context.xml

Change


    <bean id="WorkflowService_security" class="org.alfresco.service.cmr.workflow.WorkflowPermissionInterceptor" >
      <property name="personService"><ref bean="personService"/></property>
      <property name="authorityService"><ref bean="authorityService"/></property>
      <property name="workflowService"><ref bean="workflowServiceImpl" /></property>
    </bean>
‍‍‍‍‍‍‍

to


    <!– This service now has no restrictions. –>
    <bean id="WorkflowService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
‍‍‍‍

marcus_svensson · ‎11-22-2013

Great this was what I was looking for as well! Thanks!

jservajean · ‎02-21-2014

To make the permissions more specific, I think you have 2 more alternatives :
- stick to the out-of-the-box properties in your task model to define your tasks assignees (bpm_assignee, bpm_assignees, bpm_groupAssignee, bpm_groupAssignees and bpm_pooledActors)
- rewrite the WorkflowPermissionInterceptor, specifically the method isInitiatorOrAssignee(WorkflowTask wt, String userName) and ad in here your custom properties, users, etc., and use it to redefine the Spring bean named "WorkflowService_security"

Hyland Connect

Accessing another user task