4 Replies Latest reply on Oct 12, 2007 8:16 AM by Ronald van Kuijk

    Is JBPM authorization model broken ?

    Thomas Brough Newbie

      Ok JBPM has gone from challenging to getting on my wick !

      Im using jbpm-jpdl-3.2.1 and it seems that no matter what I configure in my processdefinition.xml any user can see / act on any task.

      Consider this :-

      <?xml version="1.0" encoding="UTF-8"?>
      
      <process-definition
       xmlns="urn:jbpm.org:jpdl-3.2"
       name="IT01">
      
       <!-- Nodes -->
       <!-- start-state -->
       <start-state name="start">
       <transition name="transition1" to="getDetails"></transition>
       </start-state>
      
       <!-- end-state -->
       <end-state name="end"></end-state>
      
       <!-- getDetails - get initial details of IT01 -->
       <task-node name="getDetails">
       <task name="getDetails">
       <assignment expression="user(manager)" />
       </task>
       <transition name="Transition2" to="Check Form">
       </transition>
       </task-node>
      
       <!-- Check Form - IT Manager checks form -->
      
       <task-node name="Check Form">
       <task name="ITManagerFormCheck">
       <assignment expression="user(manager)" />
       </task>
       <transition name="Transition3" to="end"></transition>
       </task-node>
      </process-definition>
      


      You would expect
      <assignment expression="user(manager)" />
      to assign the task to manager right ?

      when I log in as user, I can start a new process, this presents me with a Task, the task says its assigned to manager, which is what you would expect however when you click examine it goes on to let you fill in the associated form with the task (as user). You can then "submit" that task and transition to the next task (all done as user: user).