Claim Task With InvalidUser

Hi, i m using Camunda API for claiming task
https://docs.camunda.org/manual/7.12/reference/rest/task/post-claim/

It working for right user.
But when i send wrong user-id in payload. It doesnot throw error.

1 Like

I have observed this issue too…do share solution if you find any

Hi @gumang and @Atmesh_Agarwal1,

it is a matter of authorizations. It’s hard to define “wrong user”.

Checkout the possibilties by yourself here: Authorization Service | docs.camunda.org.

And be aware that the camunda-bpm-spring-boot-starter disables authorization checks by default.

Hope this helps, Ingo

Hi @Ingo_Richtsmeier
Authorization is enabled.
But my problem is not authentication.
Its about the userId in payload. That userId doesnot exist in system.
For example:
Url: rest/task/100453/claim
Authentication: admin/admin
Payload: {“userId”:“sdfdsf”}

Admin here is valid user and have all privileges.
He/She assigns the task 100453 to sdfdsf. But there is no such user. I expect some message from camunda whether there is any such user

Hi @gumang,

The core of the Camunda engine treats users , groups and tenants as simple text strings
https://camunda.com/best-practices/securing-camunda/#_understanding_strong_users_strong_strong_groups_strong_and_strong_tenants_strong

Validation of assignee existence could by implemented by a generic task listener to be triggered on assignment event.

identityService = delegateTask.getProcessEngineServices()
    .getIdentityService();
processEngine = Context.getProcessEngineConfiguration()
    .getProcessEngine();
engineConfiguration = processEngine.getProcessEngineConfiguration();

if (delegateTask.getAssignee() != null) {

    currentAuthentication = identityService.getCurrentAuthentication();

    try {

        identityService.clearAuthentication();

        // run without authorization checks
        assigneeEntity = identityService.createUserQuery()
            .userId(delegateTask.getAssignee()).singleResult();

    }
    finally {

        identityService.setAuthentication(currentAuthentication);
    }

    if (assigneeEntity == null) {

        throw new ProcessEngineException("Invalid assignee");
    }
}

Hi @hassang
Thanks for the solution. I will try it out and update here