incubator-kie-issues#1388: UserTasks without Actors/Groups assignments can transition to any phase without checking any security policy

api/kogito-api-incubation-processes-services/src/main/java/org/kie/kogito/incubation/processes/services/humantask/HumanTaskService.java

@@ -26,7 +26,7 @@
 public interface HumanTaskService {
     ExtendedDataContext get(LocalId id, MetaDataContext meta);
 
-    ExtendedDataContext create(LocalId taskId);
+    ExtendedDataContext create(LocalId taskId, DataContext dataContext);
 
     ExtendedDataContext abort(LocalId taskId, MetaDataContext meta);
 

api/kogito-api/src/main/java/org/kie/kogito/process/ProcessService.java

@@ -77,7 +77,7 @@ <T extends Model> ProcessInstance<T> createProcessInstance(Process<T> process, S
 
     <T extends Model> Optional<List<WorkItem>> getTasks(Process<T> process, String id, SecurityPolicy policy);
 
-    <T extends Model> Optional<WorkItem> signalTask(Process<T> process, String id, String taskNodeName);
+    <T extends Model> Optional<WorkItem> signalTask(Process<T> process, String id, String taskNodeName, SecurityPolicy policy);
 
     <T extends Model, R extends MapOutput> Optional<R> saveTask(Process<T> process,
             String id,

jbpm/jbpm-flow/src/main/java/org/jbpm/process/instance/impl/humantask/HumanTaskWorkItemImpl.java

@@ -191,10 +191,6 @@ protected void checkAssignedOwners(String user, Collection<String> roles) {
             throw new NotAuthorizedException("User " + user + " is not authorized to access task instance with id " + getStringId());
         }
 
-        // if there are no assignments means open to everyone
-        if (getPotentialUsers().isEmpty() && getPotentialGroups().isEmpty()) {
-            return;
-        }
         // check if user is in potential users or groups 
         if (!getPotentialUsers().contains(user) &&
                 getPotentialGroups().stream().noneMatch(roles::contains)) {

jbpm/jbpm-flow/src/main/java/org/kie/kogito/process/impl/ProcessServiceImpl.java

@@ -170,7 +170,7 @@ public <T extends Model> Optional<List<WorkItem>> getTasks(Process<T> process, S
     }
 
     @Override
-    public <T extends Model> Optional<WorkItem> signalTask(Process<T> process, String id, String taskName) {
+    public <T extends Model> Optional<WorkItem> signalTask(Process<T> process, String id, String taskName, SecurityPolicy policy) {
         return UnitOfWorkExecutor.executeInUnitOfWork(application.unitOfWorkManager(), () -> process
                 .instances()
                 .findById(id)
@@ -183,13 +183,13 @@ public <T extends Model> Optional<WorkItem> signalTask(Process<T> process, Strin
                     String taskNodeName = node.getName();
                     pi.send(Sig.of(taskNodeName, Collections.emptyMap()));
 
-                    return getTaskByName(pi, taskName).orElse(null);
+                    return getTaskByName(pi, taskName, policy).orElse(null);
                 }));
     }
 
-    public <T extends Model> Optional<WorkItem> getTaskByName(ProcessInstance<T> pi, String taskName) {
+    private <T extends Model> Optional<WorkItem> getTaskByName(ProcessInstance<T> pi, String taskName, SecurityPolicy... policies) {
         return pi
-                .workItems()
+                .workItems(policies)
                 .stream()
                 .filter(wi -> wi.getName().equals(taskName))
                 .findFirst();

jbpm/jbpm-tests/src/test/bpmn/org/jbpm/bpmn2/activity/BPMN2-UserTaskAssignmentActor.bpmn

@@ -0,0 +1,123 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bpmn2:definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:bpmn2="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:bpsim="http://www.bpsim.org/schemas/1.0" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" xmlns:drools="http://www.jboss.org/drools" id="_TfEFMCWmED20cJveoGveWg" xsi:schemaLocation="http://www.omg.org/spec/BPMN/20100524/MODEL BPMN20.xsd http://www.jboss.org/drools drools.xsd http://www.bpsim.org/schemas/1.0 bpsim.xsd http://www.omg.org/spec/DD/20100524/DC DC.xsd http://www.omg.org/spec/DD/20100524/DI DI.xsd " exporter="jBPM Process Modeler" exporterVersion="2.0" targetNamespace="http://www.omg.org/bpmn20">
+  <bpmn2:itemDefinition id="__7349D0A9-C99C-44C1-A0FA-11E21DC45046_SkippableInputXItem" structureRef="Object"/>
+  <bpmn2:itemDefinition id="__7349D0A9-C99C-44C1-A0FA-11E21DC45046_PriorityInputXItem" structureRef="Object"/>
+  <bpmn2:itemDefinition id="__7349D0A9-C99C-44C1-A0FA-11E21DC45046_CommentInputXItem" structureRef="Object"/>
+  <bpmn2:itemDefinition id="__7349D0A9-C99C-44C1-A0FA-11E21DC45046_DescriptionInputXItem" structureRef="Object"/>
+  <bpmn2:itemDefinition id="__7349D0A9-C99C-44C1-A0FA-11E21DC45046_CreatedByInputXItem" structureRef="Object"/>
+  <bpmn2:itemDefinition id="__7349D0A9-C99C-44C1-A0FA-11E21DC45046_TaskNameInputXItem" structureRef="Object"/>
+  <bpmn2:itemDefinition id="__7349D0A9-C99C-44C1-A0FA-11E21DC45046_GroupIdInputXItem" structureRef="Object"/>
+  <bpmn2:itemDefinition id="__7349D0A9-C99C-44C1-A0FA-11E21DC45046_ContentInputXItem" structureRef="Object"/>
+  <bpmn2:itemDefinition id="__7349D0A9-C99C-44C1-A0FA-11E21DC45046_NotStartedReassignInputXItem" structureRef="Object"/>
+  <bpmn2:itemDefinition id="__7349D0A9-C99C-44C1-A0FA-11E21DC45046_NotCompletedReassignInputXItem" structureRef="Object"/>
+  <bpmn2:itemDefinition id="__7349D0A9-C99C-44C1-A0FA-11E21DC45046_NotStartedNotifyInputXItem" structureRef="Object"/>
+  <bpmn2:itemDefinition id="__7349D0A9-C99C-44C1-A0FA-11E21DC45046_NotCompletedNotifyInputXItem" structureRef="Object"/>
+  <bpmn2:collaboration id="_EC3C364F-5D39-410A-B21E-5F37C48D569F" name="Default Collaboration">
+    <bpmn2:participant id="_C9FFE652-C247-4A47-9759-DF26ADDE79F1" name="Pool Participant" processRef="UserTaskActor"/>
+  </bpmn2:collaboration>
+  <bpmn2:process id="UserTaskActor" drools:packageName="org.jbpm.bpmn2.flow" drools:version="1.0" drools:adHoc="false" name="User Task Actor Assignment" isExecutable="true" processType="Private">
+    <bpmn2:sequenceFlow id="_37E3A306-1ECB-4937-A5DD-CEA62F29A4D5" sourceRef="_7349D0A9-C99C-44C1-A0FA-11E21DC45046" targetRef="_7A817BF1-2145-47E5-9E0F-F33A816C61D6"/>
+    <bpmn2:sequenceFlow id="_0D2B7D7C-D753-4CCF-94D6-C4BFD669A192" sourceRef="_E3A86C68-8E84-4A40-8753-D2D51C471640" targetRef="_7349D0A9-C99C-44C1-A0FA-11E21DC45046"/>
+    <bpmn2:endEvent id="_7A817BF1-2145-47E5-9E0F-F33A816C61D6">
+      <bpmn2:incoming>_37E3A306-1ECB-4937-A5DD-CEA62F29A4D5</bpmn2:incoming>
+    </bpmn2:endEvent>
+    <bpmn2:userTask id="_7349D0A9-C99C-44C1-A0FA-11E21DC45046" name="User Task">
+      <bpmn2:extensionElements>
+        <drools:metaData name="elementname">
+          <drools:metaValue><![CDATA[User Task]]></drools:metaValue>
+        </drools:metaData>
+      </bpmn2:extensionElements>
+      <bpmn2:incoming>_0D2B7D7C-D753-4CCF-94D6-C4BFD669A192</bpmn2:incoming>
+      <bpmn2:outgoing>_37E3A306-1ECB-4937-A5DD-CEA62F29A4D5</bpmn2:outgoing>
+      <bpmn2:ioSpecification>
+        <bpmn2:dataInput id="_7349D0A9-C99C-44C1-A0FA-11E21DC45046_TaskNameInputX" drools:dtype="Object" itemSubjectRef="__7349D0A9-C99C-44C1-A0FA-11E21DC45046_TaskNameInputXItem" name="TaskName"/>
+        <bpmn2:dataInput id="_7349D0A9-C99C-44C1-A0FA-11E21DC45046_SkippableInputX" drools:dtype="Object" itemSubjectRef="__7349D0A9-C99C-44C1-A0FA-11E21DC45046_SkippableInputXItem" name="Skippable"/>
+        <bpmn2:inputSet>
+          <bpmn2:dataInputRefs>_7349D0A9-C99C-44C1-A0FA-11E21DC45046_TaskNameInputX</bpmn2:dataInputRefs>
+          <bpmn2:dataInputRefs>_7349D0A9-C99C-44C1-A0FA-11E21DC45046_SkippableInputX</bpmn2:dataInputRefs>
+        </bpmn2:inputSet>
+      </bpmn2:ioSpecification>
+      <bpmn2:dataInputAssociation>
+        <bpmn2:targetRef>_7349D0A9-C99C-44C1-A0FA-11E21DC45046_TaskNameInputX</bpmn2:targetRef>
+        <bpmn2:assignment>
+          <bpmn2:from xsi:type="bpmn2:tFormalExpression"><![CDATA[Task]]></bpmn2:from>
+          <bpmn2:to xsi:type="bpmn2:tFormalExpression"><![CDATA[_7349D0A9-C99C-44C1-A0FA-11E21DC45046_TaskNameInputX]]></bpmn2:to>
+        </bpmn2:assignment>
+      </bpmn2:dataInputAssociation>
+      <bpmn2:dataInputAssociation>
+        <bpmn2:targetRef>_7349D0A9-C99C-44C1-A0FA-11E21DC45046_SkippableInputX</bpmn2:targetRef>
+        <bpmn2:assignment>
+          <bpmn2:from xsi:type="bpmn2:tFormalExpression"><![CDATA[false]]></bpmn2:from>
+          <bpmn2:to xsi:type="bpmn2:tFormalExpression"><![CDATA[_7349D0A9-C99C-44C1-A0FA-11E21DC45046_SkippableInputX]]></bpmn2:to>
+        </bpmn2:assignment>
+      </bpmn2:dataInputAssociation>
+      <bpmn2:potentialOwner id="_TfEsQCWmED20cJveoGveWg">
+        <bpmn2:resourceAssignmentExpression id="_TfEsQSWmED20cJveoGveWg">
+          <bpmn2:formalExpression>john</bpmn2:formalExpression>
+        </bpmn2:resourceAssignmentExpression>
+      </bpmn2:potentialOwner>
+    </bpmn2:userTask>
+    <bpmn2:startEvent id="_E3A86C68-8E84-4A40-8753-D2D51C471640">
+      <bpmn2:outgoing>_0D2B7D7C-D753-4CCF-94D6-C4BFD669A192</bpmn2:outgoing>
+    </bpmn2:startEvent>
+  </bpmn2:process>
+  <bpmndi:BPMNDiagram>
+    <bpmndi:BPMNPlane bpmnElement="UserTaskActor">
+      <bpmndi:BPMNShape id="shape__E3A86C68-8E84-4A40-8753-D2D51C471640" bpmnElement="_E3A86C68-8E84-4A40-8753-D2D51C471640">
+        <dc:Bounds height="56" width="56" x="119" y="94"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="shape__7349D0A9-C99C-44C1-A0FA-11E21DC45046" bpmnElement="_7349D0A9-C99C-44C1-A0FA-11E21DC45046">
+        <dc:Bounds height="102" width="154" x="255" y="71"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="shape__7A817BF1-2145-47E5-9E0F-F33A816C61D6" bpmnElement="_7A817BF1-2145-47E5-9E0F-F33A816C61D6">
+        <dc:Bounds height="56" width="56" x="489" y="94"/>
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNEdge id="edge_shape__E3A86C68-8E84-4A40-8753-D2D51C471640_to_shape__7349D0A9-C99C-44C1-A0FA-11E21DC45046" bpmnElement="_0D2B7D7C-D753-4CCF-94D6-C4BFD669A192">
+        <di:waypoint x="147" y="122"/>
+        <di:waypoint x="332" y="122"/>
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="edge_shape__7349D0A9-C99C-44C1-A0FA-11E21DC45046_to_shape__7A817BF1-2145-47E5-9E0F-F33A816C61D6" bpmnElement="_37E3A306-1ECB-4937-A5DD-CEA62F29A4D5">
+        <di:waypoint x="332" y="122"/>
+        <di:waypoint x="517" y="122"/>
+      </bpmndi:BPMNEdge>
+    </bpmndi:BPMNPlane>
+  </bpmndi:BPMNDiagram>
+  <bpmn2:relationship type="BPSimData">
+    <bpmn2:extensionElements>
+      <bpsim:BPSimData>
+        <bpsim:Scenario id="default" name="Simulationscenario">
+          <bpsim:ScenarioParameters/>
+          <bpsim:ElementParameters elementRef="_E3A86C68-8E84-4A40-8753-D2D51C471640">
+            <bpsim:TimeParameters>
+              <bpsim:ProcessingTime>
+                <bpsim:NormalDistribution mean="0" standardDeviation="0"/>
+              </bpsim:ProcessingTime>
+            </bpsim:TimeParameters>
+          </bpsim:ElementParameters>
+          <bpsim:ElementParameters elementRef="_7349D0A9-C99C-44C1-A0FA-11E21DC45046">
+            <bpsim:TimeParameters>
+              <bpsim:ProcessingTime>
+                <bpsim:NormalDistribution mean="0" standardDeviation="0"/>
+              </bpsim:ProcessingTime>
+            </bpsim:TimeParameters>
+            <bpsim:ResourceParameters>
+              <bpsim:Availability>
+                <bpsim:FloatingParameter value="0"/>
+              </bpsim:Availability>
+              <bpsim:Quantity>
+                <bpsim:FloatingParameter value="0"/>
+              </bpsim:Quantity>
+            </bpsim:ResourceParameters>
+            <bpsim:CostParameters>
+              <bpsim:UnitCost>
+                <bpsim:FloatingParameter value="0"/>
+              </bpsim:UnitCost>
+            </bpsim:CostParameters>
+          </bpsim:ElementParameters>
+        </bpsim:Scenario>
+      </bpsim:BPSimData>
+    </bpmn2:extensionElements>
+    <bpmn2:source>_TfEFMCWmED20cJveoGveWg</bpmn2:source>
+    <bpmn2:target>_TfEFMCWmED20cJveoGveWg</bpmn2:target>
+  </bpmn2:relationship>
+</bpmn2:definitions>