in kogito-springboot-examples/process-usertasks-custom-lifecycle-springboot/src/main/java/org/acme/travels/usertasks/CustomUserTaskLifeCycle.java [177:217]
private void checkPermission(UserTaskInstance userTaskInstance, IdentityProvider identityProvider) {
String user = identityProvider.getName();
Collection<String> roles = identityProvider.getRoles();
if (WORKFLOW_ENGINE_USER.equals(user)) {
return;
}
// first we check admins
Set<String> adminUsers = userTaskInstance.getAdminUsers();
if (adminUsers.contains(user)) {
return;
}
Set<String> userAdminGroups = new HashSet<>(userTaskInstance.getAdminGroups());
userAdminGroups.retainAll(roles);
if (!userAdminGroups.isEmpty()) {
return;
}
if (userTaskInstance.getActualOwner() != null && userTaskInstance.getActualOwner().equals(user)) {
return;
}
if (List.of(INACTIVE, ACTIVE, STARTED).contains(userTaskInstance.getStatus())) {
// there is no user
Set<String> users = new HashSet<>(userTaskInstance.getPotentialUsers());
users.removeAll(userTaskInstance.getExcludedUsers());
if (users.contains(identityProvider.getName())) {
return;
}
Set<String> userPotGroups = new HashSet<>(userTaskInstance.getPotentialGroups());
userPotGroups.retainAll(roles);
if (!userPotGroups.isEmpty()) {
return;
}
}
throw new NotAuthorizedException("user " + user + " with roles " + roles + " not autorized to perform an operation on user task " + userTaskInstance.getId());
}