Why all user tasks can be completed using REST API call?

Hi,
I wanted to ask regarding User task completion by REST API call. Why all user tasks even after having assigned assignee can be completed by anybody while making a Rest Call. How can such a functionality be implemented where only the assignee can complete the task using REST API call?

1 Like

REST API authentication and authorization is switched off by default. If you the /task/{id}/complete request to take into account authorization rules, enable it. This way, not all users can complete any task.

https://docs.camunda.org/manual/7.7/reference/rest/overview/#authentication

If an already authenticated user interacts with a resource in an unauthorized way, the status code of the response will be set to 403 Forbidden.

Thank you for the response. But I am unable to understand where will I send the username who will be completing the task in the REST call for process engine to identify that it is an unauthorized call?

As I understand after reading the documentations, though Authorizations can be enabled for Rest API calls but if Camunda process engine is called from a Custom application using Rest API calls then access to those calls to be made by any user will have to be managed at the Custom application level.
Please correct me if I am wrong.

I have authorization enabled, and still, users can complete tasks they’re not assigned to. @nvanbelle , @AakankshaTej any idea why?