RHBPMS-397 - Allow insecure Remote task operations (not only limited …

…to GetTask* commands) (kiegroup#551)
jiripetrlik · Jul 28, 2016 · 67d7c0f · 67d7c0f
1 parent 1328793
commit 67d7c0f
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 11 deletions.
diff --git a/...ent/src/main/java/org/kie/remote/client/internal/command/AbstractRemoteCommandObject.java b/...ent/src/main/java/org/kie/remote/client/internal/command/AbstractRemoteCommandObject.java
@@ -165,7 +165,7 @@ protected <T> T executeCommand( Command cmd ) {
 
     void preprocessCommand( Command cmd ) {
         String cmdName = cmd.getClass().getSimpleName();
-        if( ! config.getDisableTaskSecurity() && cmd instanceof TaskCommand && cmdName.startsWith("GetTask") ) {
+        if( ! config.getDisableTaskSecurity() && cmd instanceof TaskCommand ) {
            TaskCommand taskCmd = (TaskCommand) cmd;
            String cmdUserId = taskCmd.getUserId();
            String authUserId = config.getUserName();

diff --git a/...te/kie-remote-services/src/main/java/org/kie/remote/services/util/ExecuteCommandUtil.java b/...te/kie-remote-services/src/main/java/org/kie/remote/services/util/ExecuteCommandUtil.java
@@ -42,16 +42,14 @@ public static JaxbCommandsResponse restProcessJaxbCommandsRequest(JaxbCommandsRe
                 if( cmd instanceof TaskCommand ) {
                     String cmdName = cmd.getClass().getSimpleName();
                     if( ! allowAllUsersAccessToAllTasks ) {
-                        if( cmdName.startsWith("GetTask") ) {
-                            String cmdUserId = ((TaskCommand) cmd).getUserId();
-                            if( cmdUserId == null ) {
-                                throw KieRemoteRestOperationException.badRequest("A null user id for a '" + cmdName + "' is not allowed!");
-                            }
-                            String authUserId = identityProvider.getName();
-                            if( ! cmdUserId.equals(authUserId) ) {
-                                throw KieRemoteRestOperationException.conflict("The user id used when retrieving task information (" + cmdUserId + ")"
-                                        + " must match the authenticating user (" + authUserId + ")!");
-                            }
+                        String cmdUserId = ((TaskCommand) cmd).getUserId();
+                        if( cmdUserId == null ) {
+                            throw KieRemoteRestOperationException.badRequest("A null user id for a '" + cmdName + "' is not allowed!");
+                        }
+                        String authUserId = identityProvider.getName();
+                        if( ! cmdUserId.equals(authUserId) ) {
+                            throw KieRemoteRestOperationException.conflict("The user id used when retrieving task information (" + cmdUserId + ")"
+                                    + " must match the authenticating user (" + authUserId + ")!");
                         }
                     }
                 }