pefernan opened a new issue, #2303:
URL: https://github.com/apache/incubator-kie-issues/issues/2303
When retrieving a Process Instance workitem
([AbstractProcessInstance#workitem(String workitemId, Policy...
policies)](https://github.com/apache/incubator-kie-kogito-runtimes/blob/baea286b65db29e3cf7ca781375a784c9a6c3ee8/jbpm/jbpm-flow/src/main/java/org/kie/kogito/process/impl/AbstractProcessInstance.java#L650))
, it enforces authorization check on every work item in the process instance
before obtaining the concrete instance, throwing a `NotAuthorizedException` if
other active workitems are available when filtering.
```
public WorkItem workItem(String workItemId, Policy... policies) {
return executeInWorkflowProcessInstanceRead(pi ->
pi.getNodeInstances(true).stream()
.filter(WorkItemNodeInstance.class::isInstance)
.map(WorkItemNodeInstance.class::cast)
.filter(w -> enforceException(w.getWorkItem(), policies))
<--- Enforcing security policy before obtaining the concrete instance.
.filter(ni -> ni.getWorkItemId().equals(workItemId))
.map(this::toBaseWorkItem)
.findAny()
.orElseThrow(() -> new WorkItemNotFoundException("Work item
with id " + workItemId + " was not found in process instance " + id(),
workItemId)));
}
```
Original discussion in Zulip: [#kogito > Authorization in Multi-Instance
Subprocess](https://kie.zulipchat.com/#narrow/channel/232676-kogito/topic/Authorization.20in.20Multi-Instance.20Subprocess/with/593734035)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
