Hyland Connect

vincent-kali · ‎09-10-2018

When trying to update a task property (bpm:comment) with code run as system, the update is just not applied (but no exception thrown). When executing the code as the task assigned user, it works fine.

Any idea ?

The code:

try {
if (userIsProcessManager) {
  AuthenticationUtil.setRunAsUserSystem();
  logger.debug("Running as system user");
}

WorkflowTask task = this.services.getWorkflowService().getTaskById(taskId);
if (task == null){
  logger.error(ERR_MSG_INCORRECT_TASKID);
  throw new WebScriptException(ERR_CODE_BAD_REQUEST, ERR_MSG_INCORRECT_TASKID);
}

if ((!userIsProcessManager) &&
  (AuthenticationUtil.getFullyAuthenticatedUser().compareToIgnoreCase((String) task.getProperties().get(ContentModel.PROP_OWNER)) !=0)){
  logger.error(ERR_MSG_INCORRECT_TASK_ASSIGNEE);
  throw new WebScriptException(ERR_CODE_BAD_REQUEST, ERR_MSG_INCORRECT_TASK_ASSIGNEE);
}

Map<QName, Serializable> props = this.getPropertyMap (...);
this.services.getWorkflowService().updateTask(taskId, props, null, null);
if (endTask) this.services.getWorkflowService().endTask(taskId, null);

}finally {
AuthenticationUtil.clearCurrentSecurityContext();
}

vincent-kali · ‎09-13-2018

It's finally working fine (A dummy bug fixed).
Sorry for this useless post.

Just to share the code for task update:

Code reference from alfresco:
org.alfresco.repo.web.scripts.workflow.TaskInstancePut
org.alfresco.repo.workflow.TaskUpdater

My code using RunAsWork:

finalTaskState = AuthenticationUtil.runAs(
  new AuthenticationUtil.RunAsWork<String>() {
  public String doWork() throws Exception {
   logger.info("Running update task as: " + AuthenticationUtil.getRunAsUser());
   ...
   workflowService.updateTask(taskId, taskProps, null, null);
         if (endTaskRequested) workflowService.endTask(taskId, null);
         return task.getState().toString();
  }
}, AuthenticationUtil.getSystemUserName());

View answer in original post

afaust · ‎09-10-2018

Always use the runAsSystem(RunAsWork) variant instead of relying on try-finally with setRunAsUserSystem - your code is safer that way.

In your code, you are explicitly clearing the entire security context in the finally block. This does not only clear the runAs context, but also the currently logged in user. Any operation that occurs afterwards may fail due to missing authentication data.

Why do you want to run that piece of code as system anyway? Nothing you are doing appears to require elevated privileges. If any code in the process needs elevated privileges, you should apply a runAs context to as granular a level as possible ("with great power comes...").

vincent-kali · ‎09-10-2018

Thanks for your response.

Still no luck when running code using 'AuthenticationUtil.RunAsWork<String>()....'.

I've tried using System or Admin account, same result (change not applied).

Is this by design ?

(I want to be able to update some task properties on behalf of the task assignee in some special cases.)

jpotts · ‎09-11-2018

Maybe you should share the refactored code that uses RunAsWork as well as the debug output.

Jeff Potts
https://www.metaversant.com | https://ecmarchitect.com

vincent-kali · ‎09-13-2018