public virtual void checkUpdateProcessInstanceSuspensionState(ExecutionEntity execution)
{
ProcessDefinitionEntity processDefinition = (ProcessDefinitionEntity)execution.getProcessDefinition();
CompositePermissionCheck suspensionStatePermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(PROCESS_INSTANCE, execution.ProcessInstanceId, ProcessInstancePermissions.SUSPEND).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinition.Key, ProcessDefinitionPermissions.SUSPEND_INSTANCE).atomicCheckForResourceId(PROCESS_INSTANCE, execution.ProcessInstanceId, UPDATE).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinition.Key, UPDATE_INSTANCE).build();
AuthorizationManager.checkAuthorization(suspensionStatePermission);
}
public virtual void checkTaskWork(TaskEntity task)
{
string taskId = task.Id;
string executionId = task.ExecutionId;
if (!string.ReferenceEquals(executionId, null))
{
// Permissions to task actions is based on the order in which PermissioncheckBuilder is built
CompositePermissionCheck taskWorkPermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(TASK, taskId, TASK_WORK).atomicCheckForResourceId(PROCESS_DEFINITION, task.ProcessDefinition.Key, TASK_WORK).atomicCheckForResourceId(TASK, taskId, UPDATE).atomicCheckForResourceId(PROCESS_DEFINITION, task.ProcessDefinition.Key, UPDATE_TASK).build();
AuthorizationManager.checkAuthorization(taskWorkPermission);
}
else
{
// if task does not exist in context of process
// instance, then it is either a (a) standalone task
// or (b) it exists in context of a case instance.
// (a) standalone task: check following permission
// - TASK_WORK or UPDATE
// (b) task in context of a case instance, in this
// case it is not necessary to check any permission,
// because such tasks can always be updated
string caseExecutionId = task.CaseExecutionId;
if (string.ReferenceEquals(caseExecutionId, null))
{
// standalone task
CompositePermissionCheck taskWorkPermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(TASK, taskId, TASK_WORK).atomicCheckForResourceId(TASK, taskId, UPDATE).build();
AuthorizationManager.checkAuthorization(taskWorkPermission);
}
}
}
public virtual void checkReadProcessInstance(ExecutionEntity execution)
{
ProcessDefinitionEntity processDefinition = (ProcessDefinitionEntity)execution.getProcessDefinition();
// necessary permissions:
// - READ on PROCESS_INSTANCE
// ... OR ...
// - READ_INSTANCE on PROCESS_DEFINITION
CompositePermissionCheck readProcessInstancePermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(PROCESS_INSTANCE, execution.ProcessInstanceId, READ).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinition.Key, READ_INSTANCE).build();
AuthorizationManager.checkAuthorization(readProcessInstancePermission);
}
public virtual void checkUpdateRetriesJob(JobEntity job)
{
if (string.ReferenceEquals(job.ProcessDefinitionKey, null))
{
// "standalone" job: nothing to do!
return;
}
CompositePermissionCheck retryJobPermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(PROCESS_INSTANCE, job.ProcessInstanceId, ProcessInstancePermissions.RETRY_JOB).atomicCheckForResourceId(PROCESS_DEFINITION, job.ProcessDefinitionKey, ProcessDefinitionPermissions.RETRY_JOB).atomicCheckForResourceId(PROCESS_INSTANCE, job.ProcessInstanceId, UPDATE).atomicCheckForResourceId(PROCESS_DEFINITION, job.ProcessDefinitionKey, UPDATE_INSTANCE).build();
AuthorizationManager.checkAuthorization(retryJobPermission);
}
public virtual void checkUpdateRetriesProcessInstanceByProcessDefinitionId(string processDefinitionId)
{
if (AuthorizationManager.AuthorizationEnabled)
{
ProcessDefinitionEntity processDefinition = findLatestProcessDefinitionById(processDefinitionId);
if (processDefinition != null)
{
CompositePermissionCheck retryJobPermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(PROCESS_INSTANCE, ANY, ProcessInstancePermissions.RETRY_JOB).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinitionId, ProcessDefinitionPermissions.RETRY_JOB).atomicCheckForResourceId(PROCESS_INSTANCE, ANY, UPDATE).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinitionId, UPDATE_INSTANCE).build();
AuthorizationManager.checkAuthorization(retryJobPermission);
}
}
}
public virtual void checkDeleteUserOperationLog(UserOperationLogEntry entry)
{
/*
* (1) if entry has a category and a process definition key:
* => entry in context of process definition
* => check either
* DELETE_HISTORY on PROCESS_DEFINITION with processDefinitionKey OR
* DELETE on OPERATION_LOG_CATEGORY with category
*
* (2) if entry has a category but no process definition key:
* => standalone entry (task, job, batch, ...), admin entry (user, tenant, ...) or CMMN related
* => check DELETE on OPERATION_LOG_CATEGORY with category
*
* (3) if entry has no category but a process definition key:
* => pre-7.11.0 entry in context of process definition
* => check DELETE_HISTORY on PROCESS_DEFINITION with processDefinitionKey
*
* (4) if entry has no category and no process definition key:
* => pre-7.11.0 standalone entry (task, job, batch, ...) or CMMN related
* => no authorization check like before 7.11.0
*/
if (entry != null)
{
string category = entry.Category;
string processDefinitionKey = entry.ProcessDefinitionKey;
if (!string.ReferenceEquals(category, null) || !string.ReferenceEquals(processDefinitionKey, null))
{
CompositePermissionCheck permissionCheck = null;
if (string.ReferenceEquals(category, null))
{
// case (3)
permissionCheck = (new PermissionCheckBuilder()).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinitionKey, DELETE_HISTORY).build();
}
else if (string.ReferenceEquals(processDefinitionKey, null))
{
// case (2)
permissionCheck = (new PermissionCheckBuilder()).atomicCheckForResourceId(Resources.OPERATION_LOG_CATEGORY, category, UserOperationLogCategoryPermissions.DELETE).build();
}
else
{
// case (1)
permissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(PROCESS_DEFINITION, processDefinitionKey, DELETE_HISTORY).atomicCheckForResourceId(Resources.OPERATION_LOG_CATEGORY, category, UserOperationLogCategoryPermissions.DELETE).build();
}
AuthorizationManager.checkAuthorization(permissionCheck);
}
// case (4)
}
}
public virtual void checkReadJob(JobEntity job)
{
if (string.ReferenceEquals(job.ProcessDefinitionKey, null))
{
// "standalone" job: nothing to do!
return;
}
// necessary permissions:
// - READ on PROCESS_INSTANCE
// ... OR ...
// - READ_INSTANCE on PROCESS_DEFINITION
CompositePermissionCheck readJobPermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(PROCESS_INSTANCE, job.ProcessInstanceId, READ).atomicCheckForResourceId(PROCESS_DEFINITION, job.ProcessDefinitionKey, READ_INSTANCE).build();
AuthorizationManager.checkAuthorization(readJobPermission);
}
public virtual void checkReadProcessInstanceVariable(ExecutionEntity execution)
{
if (AuthorizationManager.EnsureSpecificVariablePermission)
{
ProcessDefinitionEntity processDefinition = (ProcessDefinitionEntity)execution.getProcessDefinition();
// necessary permissions:
// - READ_INSTANCE_VARIABLE on PROCESS_DEFINITION
CompositePermissionCheck readProcessInstancePermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(PROCESS_DEFINITION, processDefinition.Key, ProcessDefinitionPermissions.READ_INSTANCE_VARIABLE).build();
AuthorizationManager.checkAuthorization(readProcessInstancePermission);
}
else
{
checkReadProcessInstance(execution);
}
}
public virtual void checkUpdateTaskVariable(TaskEntity task)
{
string taskId = task.Id;
string executionId = task.ExecutionId;
if (!string.ReferenceEquals(executionId, null))
{
// if task exists in context of a process instance
// then check the following permissions:
// - UPDATE_VARIABLE on TASK
// - UPDATE_TASK_VARIABLE on PROCESS_DEFINITION
// - UPDATE on TASK
// - UPDATE_TASK on PROCESS_DEFINITION
ExecutionEntity execution = task.getExecution();
ProcessDefinitionEntity processDefinition = (ProcessDefinitionEntity)execution.getProcessDefinition();
CompositePermissionCheck updateTaskPermissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(TASK, taskId, TaskPermissions.UPDATE_VARIABLE).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinition.Key, ProcessDefinitionPermissions.UPDATE_TASK_VARIABLE).atomicCheckForResourceId(TASK, taskId, UPDATE).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinition.Key, UPDATE_TASK).build();
AuthorizationManager.checkAuthorization(updateTaskPermissionCheck);
}
else
{
// if task does not exist in context of process
// instance, then it is either a (a) standalone task
// or (b) it exists in context of a case instance.
// (a) standalone task: check following permission
// - READ on TASK
// (b) task in context of a case instance, in this
// case it is not necessary to check any permission,
// because such tasks can always be updated
string caseExecutionId = task.CaseExecutionId;
if (string.ReferenceEquals(caseExecutionId, null))
{
// standalone task
CompositePermissionCheck updateTaskPermissionCheck = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(TASK, taskId, TaskPermissions.UPDATE_VARIABLE).atomicCheckForResourceId(TASK, taskId, UPDATE).build();
AuthorizationManager.checkAuthorization(updateTaskPermissionCheck);
}
}
}
protected internal virtual void checkTaskPermission(TaskEntity task, Permission processDefinitionPermission, Permission taskPermission)
{
string taskId = task.Id;
string executionId = task.ExecutionId;
if (!string.ReferenceEquals(executionId, null))
{
// if task exists in context of a process instance
// then check the following permissions:
// - 'taskPermission' on TASK
// - 'processDefinitionPermission' on PROCESS_DEFINITION
ExecutionEntity execution = task.getExecution();
ProcessDefinitionEntity processDefinition = execution.getProcessDefinition();
CompositePermissionCheck readTaskPermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(TASK, taskId, taskPermission).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinition.Key, processDefinitionPermission).build();
AuthorizationManager.checkAuthorization(readTaskPermission);
}
else
{
// if task does not exist in context of process
// instance, then it is either a (a) standalone task
// or (b) it exists in context of a case instance.
// (a) standalone task: check following permission
// - 'taskPermission' on TASK
// (b) task in context of a case instance, in this
// case it is not necessary to check any permission,
// because such tasks can always be read
string caseExecutionId = task.CaseExecutionId;
if (string.ReferenceEquals(caseExecutionId, null))
{
AuthorizationManager.checkAuthorization(taskPermission, TASK, taskId);
}
}
}
public virtual void checkCreateBatch(Permission permission)
{
CompositePermissionCheck createBatchPermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(BATCH, null, permission).atomicCheckForResourceId(BATCH, null, CREATE).build();
AuthorizationManager.checkAuthorization(createBatchPermission);
}
public virtual void checkUpdateProcessInstanceSuspensionStateByProcessDefinitionKey(string processDefinitionKey)
{
CompositePermissionCheck suspensionStatePermission = (new PermissionCheckBuilder()).disjunctive().atomicCheckForResourceId(PROCESS_INSTANCE, null, ProcessInstancePermissions.SUSPEND).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinitionKey, ProcessDefinitionPermissions.SUSPEND_INSTANCE).atomicCheckForResourceId(PROCESS_INSTANCE, null, UPDATE).atomicCheckForResourceId(PROCESS_DEFINITION, processDefinitionKey, UPDATE_INSTANCE).build();
AuthorizationManager.checkAuthorization(suspensionStatePermission);
}
