public virtual void checkUpdateProcessInstanceSuspensionState(ExecutionEntity execution) { ProcessDefinitionEntity processDefinition = (ProcessDefinitionEntity)execution.getProcessDefinition(); CompositePermissionCheck suspensionStatePermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(PROCESS_INSTANCE, execution.ProcessInstanceId, ProcessInstancePermissions.SUSPEND).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinition.Key, ProcessDefinitionPermissions.SUSPEND_INSTANCE).atomicCheckForResourceId(PROCESS_INSTANCE, execution.ProcessInstanceId, UPDATE).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinition.Key, UPDATE_INSTANCE).build(); AuthorizationManager.checkAuthorization(suspensionStatePermission); }
public virtual void checkTaskWork(TaskEntity task) { string taskId = task.Id; string executionId = task.ExecutionId; if (!string.ReferenceEquals(executionId, null)) { // Permissions to task actions is based on the order in which PermissioncheckBuilder is built CompositePermissionCheck taskWorkPermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(TASK, taskId, TASK_WORK).atomicCheckForResourceId(PROCESS_DEFINITION, task.ProcessDefinition.Key, TASK_WORK).atomicCheckForResourceId(TASK, taskId, UPDATE).atomicCheckForResourceId(PROCESS_DEFINITION, task.ProcessDefinition.Key, UPDATE_TASK).build(); AuthorizationManager.checkAuthorization(taskWorkPermission); } else { // if task does not exist in context of process // instance, then it is either a (a) standalone task // or (b) it exists in context of a case instance. // (a) standalone task: check following permission // - TASK_WORK or UPDATE // (b) task in context of a case instance, in this // case it is not necessary to check any permission, // because such tasks can always be updated string caseExecutionId = task.CaseExecutionId; if (string.ReferenceEquals(caseExecutionId, null)) { // standalone task CompositePermissionCheck taskWorkPermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(TASK, taskId, TASK_WORK).atomicCheckForResourceId(TASK, taskId, UPDATE).build(); AuthorizationManager.checkAuthorization(taskWorkPermission); } } }
public virtual void checkReadProcessInstance(ExecutionEntity execution) { ProcessDefinitionEntity processDefinition = (ProcessDefinitionEntity)execution.getProcessDefinition(); // necessary permissions: // - READ on PROCESS_INSTANCE // ... OR ... // - READ_INSTANCE on PROCESS_DEFINITION CompositePermissionCheck readProcessInstancePermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(PROCESS_INSTANCE, execution.ProcessInstanceId, READ).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinition.Key, READ_INSTANCE).build(); AuthorizationManager.checkAuthorization(readProcessInstancePermission); }
public virtual void checkUpdateRetriesJob(JobEntity job) { if (string.ReferenceEquals(job.ProcessDefinitionKey, null)) { // "standalone" job: nothing to do! return; } CompositePermissionCheck retryJobPermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(PROCESS_INSTANCE, job.ProcessInstanceId, ProcessInstancePermissions.RETRY_JOB).atomicCheckForResourceId(PROCESS_DEFINITION, job.ProcessDefinitionKey, ProcessDefinitionPermissions.RETRY_JOB).atomicCheckForResourceId(PROCESS_INSTANCE, job.ProcessInstanceId, UPDATE).atomicCheckForResourceId(PROCESS_DEFINITION, job.ProcessDefinitionKey, UPDATE_INSTANCE).build(); AuthorizationManager.checkAuthorization(retryJobPermission); }
public virtual void checkUpdateRetriesProcessInstanceByProcessDefinitionId(string processDefinitionId) { if (AuthorizationManager.AuthorizationEnabled) { ProcessDefinitionEntity processDefinition = findLatestProcessDefinitionById(processDefinitionId); if (processDefinition != null) { CompositePermissionCheck retryJobPermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(PROCESS_INSTANCE, ANY, ProcessInstancePermissions.RETRY_JOB).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinitionId, ProcessDefinitionPermissions.RETRY_JOB).atomicCheckForResourceId(PROCESS_INSTANCE, ANY, UPDATE).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinitionId, UPDATE_INSTANCE).build(); AuthorizationManager.checkAuthorization(retryJobPermission); } } }
public virtual void checkDeleteUserOperationLog(UserOperationLogEntry entry) { /* * (1) if entry has a category and a process definition key: * => entry in context of process definition * => check either * DELETE_HISTORY on PROCESS_DEFINITION with processDefinitionKey OR * DELETE on OPERATION_LOG_CATEGORY with category * * (2) if entry has a category but no process definition key: * => standalone entry (task, job, batch, ...), admin entry (user, tenant, ...) or CMMN related * => check DELETE on OPERATION_LOG_CATEGORY with category * * (3) if entry has no category but a process definition key: * => pre-7.11.0 entry in context of process definition * => check DELETE_HISTORY on PROCESS_DEFINITION with processDefinitionKey * * (4) if entry has no category and no process definition key: * => pre-7.11.0 standalone entry (task, job, batch, ...) or CMMN related * => no authorization check like before 7.11.0 */ if (entry != null) { string category = entry.Category; string processDefinitionKey = entry.ProcessDefinitionKey; if (!string.ReferenceEquals(category, null) || !string.ReferenceEquals(processDefinitionKey, null)) { CompositePermissionCheck permissionCheck = null; if (string.ReferenceEquals(category, null)) { // case (3) permissionCheck = (new PermissionCheckBuilder()).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinitionKey, DELETE_HISTORY).build(); } else if (string.ReferenceEquals(processDefinitionKey, null)) { // case (2) permissionCheck = (new PermissionCheckBuilder()).atomicCheckForResourceId(Resources.OPERATION_LOG_CATEGORY, category, UserOperationLogCategoryPermissions.DELETE).build(); } else { // case (1) permissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(PROCESS_DEFINITION, processDefinitionKey, DELETE_HISTORY).atomicCheckForResourceId(Resources.OPERATION_LOG_CATEGORY, category, UserOperationLogCategoryPermissions.DELETE).build(); } AuthorizationManager.checkAuthorization(permissionCheck); } // case (4) } }
public virtual void checkReadJob(JobEntity job) { if (string.ReferenceEquals(job.ProcessDefinitionKey, null)) { // "standalone" job: nothing to do! return; } // necessary permissions: // - READ on PROCESS_INSTANCE // ... OR ... // - READ_INSTANCE on PROCESS_DEFINITION CompositePermissionCheck readJobPermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(PROCESS_INSTANCE, job.ProcessInstanceId, READ).atomicCheckForResourceId(PROCESS_DEFINITION, job.ProcessDefinitionKey, READ_INSTANCE).build(); AuthorizationManager.checkAuthorization(readJobPermission); }
public virtual void checkReadProcessInstanceVariable(ExecutionEntity execution) { if (AuthorizationManager.EnsureSpecificVariablePermission) { ProcessDefinitionEntity processDefinition = (ProcessDefinitionEntity)execution.getProcessDefinition(); // necessary permissions: // - READ_INSTANCE_VARIABLE on PROCESS_DEFINITION CompositePermissionCheck readProcessInstancePermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(PROCESS_DEFINITION, processDefinition.Key, ProcessDefinitionPermissions.READ_INSTANCE_VARIABLE).build(); AuthorizationManager.checkAuthorization(readProcessInstancePermission); } else { checkReadProcessInstance(execution); } }
public virtual void checkUpdateTaskVariable(TaskEntity task) { string taskId = task.Id; string executionId = task.ExecutionId; if (!string.ReferenceEquals(executionId, null)) { // if task exists in context of a process instance // then check the following permissions: // - UPDATE_VARIABLE on TASK // - UPDATE_TASK_VARIABLE on PROCESS_DEFINITION // - UPDATE on TASK // - UPDATE_TASK on PROCESS_DEFINITION ExecutionEntity execution = task.getExecution(); ProcessDefinitionEntity processDefinition = (ProcessDefinitionEntity)execution.getProcessDefinition(); CompositePermissionCheck updateTaskPermissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(TASK, taskId, TaskPermissions.UPDATE_VARIABLE).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinition.Key, ProcessDefinitionPermissions.UPDATE_TASK_VARIABLE).atomicCheckForResourceId(TASK, taskId, UPDATE).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinition.Key, UPDATE_TASK).build(); AuthorizationManager.checkAuthorization(updateTaskPermissionCheck); } else { // if task does not exist in context of process // instance, then it is either a (a) standalone task // or (b) it exists in context of a case instance. // (a) standalone task: check following permission // - READ on TASK // (b) task in context of a case instance, in this // case it is not necessary to check any permission, // because such tasks can always be updated string caseExecutionId = task.CaseExecutionId; if (string.ReferenceEquals(caseExecutionId, null)) { // standalone task CompositePermissionCheck updateTaskPermissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(TASK, taskId, TaskPermissions.UPDATE_VARIABLE).atomicCheckForResourceId(TASK, taskId, UPDATE).build(); AuthorizationManager.checkAuthorization(updateTaskPermissionCheck); } } }
protected internal virtual void checkTaskPermission(TaskEntity task, Permission processDefinitionPermission, Permission taskPermission) { string taskId = task.Id; string executionId = task.ExecutionId; if (!string.ReferenceEquals(executionId, null)) { // if task exists in context of a process instance // then check the following permissions: // - 'taskPermission' on TASK // - 'processDefinitionPermission' on PROCESS_DEFINITION ExecutionEntity execution = task.getExecution(); ProcessDefinitionEntity processDefinition = execution.getProcessDefinition(); CompositePermissionCheck readTaskPermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(TASK, taskId, taskPermission).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinition.Key, processDefinitionPermission).build(); AuthorizationManager.checkAuthorization(readTaskPermission); } else { // if task does not exist in context of process // instance, then it is either a (a) standalone task // or (b) it exists in context of a case instance. // (a) standalone task: check following permission // - 'taskPermission' on TASK // (b) task in context of a case instance, in this // case it is not necessary to check any permission, // because such tasks can always be read string caseExecutionId = task.CaseExecutionId; if (string.ReferenceEquals(caseExecutionId, null)) { AuthorizationManager.checkAuthorization(taskPermission, TASK, taskId); } } }
public virtual void checkCreateBatch(Permission permission) { CompositePermissionCheck createBatchPermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(BATCH, null, permission).atomicCheckForResourceId(BATCH, null, CREATE).build(); AuthorizationManager.checkAuthorization(createBatchPermission); }
public virtual void checkUpdateProcessInstanceSuspensionStateByProcessDefinitionKey(string processDefinitionKey) { CompositePermissionCheck suspensionStatePermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(PROCESS_INSTANCE, null, ProcessInstancePermissions.SUSPEND).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinitionKey, ProcessDefinitionPermissions.SUSPEND_INSTANCE).atomicCheckForResourceId(PROCESS_INSTANCE, null, UPDATE).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinitionKey, UPDATE_INSTANCE).build(); AuthorizationManager.checkAuthorization(suspensionStatePermission); }