[incubator-kie-issues : 2059] Workflow Engine- User in a task Excluded users can still claim and complete the task

jbpm/jbpm-usertask/src/main/java/org/kie/kogito/usertask/impl/lifecycle/DefaultUserTaskLifeCycle.java

@@ -222,8 +222,10 @@ private String assignStrategy(UserTaskInstance userTaskInstance, IdentityProvide
     }
 
     private void checkPermission(UserTaskInstance userTaskInstance, IdentityProvider identityProvider) {
-        String user = identityProvider.getName();
-        Collection<String> roles = identityProvider.getRoles();
+        this.checkPermission(userTaskInstance, identityProvider.getName(), identityProvider.getRoles());
+    }
+
+    private void checkPermission(UserTaskInstance userTaskInstance, String user, Collection<String> roles) {
 
         if (WORKFLOW_ENGINE_USER.equals(user)) {
             return;
@@ -245,11 +247,18 @@ private void checkPermission(UserTaskInstance userTaskInstance, IdentityProvider
             return;
         }
 
+        Set<String> excludedUsers = userTaskInstance.getExcludedUsers();
+        if (excludedUsers != null && excludedUsers.contains(user)) {
+            String message = String.format("User '%s' is not authorized to perform an operation on user task '%s'",
+                    user, userTaskInstance.getId());
+            throw new UserTaskInstanceNotAuthorizedException(message);
+        }
+
         if (List.of(INACTIVE, ACTIVE).contains(userTaskInstance.getStatus())) {
             // there is no user
             Set<String> users = new HashSet<>(userTaskInstance.getPotentialUsers());
             users.removeAll(userTaskInstance.getExcludedUsers());
-            if (users.contains(identityProvider.getName())) {
+            if (users.contains(user)) {
                 return;
             }
 

kogito-codegen-modules/kogito-codegen-processes-integration-tests/src/test/java/org/kie/kogito/codegen/tests/UserTaskIT.java

@@ -66,6 +66,7 @@
 import static java.util.Collections.singletonMap;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.kie.kogito.usertask.impl.lifecycle.DefaultUserTaskLifeCycle.CLAIM;
 import static org.kie.kogito.usertask.impl.lifecycle.DefaultUserTaskLifeCycle.COMPLETE;
@@ -514,6 +515,11 @@ public void testApprovalWithExcludedOwnerViaPhases() throws Exception {
         userTaskInstances = userTasks.instances().findByIdentity(IdentityProviders.of("admin", singletonList("managers")));
         assertThat(userTaskInstances).isNotNull().hasSize(1);
         UserTaskInstance ut_2 = userTaskInstances.get(0);
+        // attempt to claim task with excluded user (manager)
+        assertThrows(UserTaskInstanceNotAuthorizedException.class, () -> {
+            ut_2.transition(CLAIM, emptyMap(), IdentityProviders.of("manager", singletonList("managers")));
+        });
+        // claim and complete task with different user (admin)
         ut_2.transition(CLAIM, emptyMap(), IdentityProviders.of("admin", singletonList("managers")));
         ut_2.transition(COMPLETE, emptyMap(), IdentityProviders.of("admin", singletonList("managers")));