Fix the filter for claimable work items

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/cases/PageWorkItemsClaimable.java

@@ -23,7 +23,6 @@
 import com.evolveum.midpoint.prism.query.ObjectFilter;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.result.OperationResultStatus;
-import com.evolveum.midpoint.schema.util.CaseTypeUtil;
 import com.evolveum.midpoint.schema.util.CaseWorkItemUtil;
 import com.evolveum.midpoint.schema.util.WorkItemId;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
@@ -36,13 +35,9 @@
 import com.evolveum.midpoint.web.component.menu.cog.InlineMenuItem;
 import com.evolveum.midpoint.web.component.menu.cog.InlineMenuItemAction;
 import com.evolveum.midpoint.web.page.admin.workflow.PageAdminWorkItems;
-import com.evolveum.midpoint.web.page.admin.workflow.PageWorkItems;
-import com.evolveum.midpoint.web.page.admin.workflow.WorkItemsPageType;
-import com.evolveum.midpoint.web.page.admin.workflow.dto.WorkItemDto;
 import com.evolveum.midpoint.web.security.SecurityUtils;
 import com.evolveum.midpoint.wf.util.QueryUtils;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CaseWorkItemType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.OtherPrivilegesLimitationType;
 import org.apache.wicket.ajax.AjaxRequestTarget;
 import org.apache.wicket.model.IModel;
 import org.apache.wicket.model.Model;
@@ -51,8 +46,6 @@
 import java.util.Arrays;
 import java.util.List;
 
-import static com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractWorkItemType.F_CREATE_TIMESTAMP;
-
 /**
  * @author lazyman
  */
@@ -79,7 +72,7 @@ public PageWorkItemsClaimable() {
     protected ObjectFilter getCaseWorkItemsFilter(){
         OperationResult result = new OperationResult(OPERATION_LOAD_CLAIMABLE_WORK_ITEMS);
         try {
-            return QueryUtils.filterForGroups(getPrismContext().queryFor(CaseWorkItemType.class),
+            return QueryUtils.filterForClaimableItems(getPrismContext().queryFor(CaseWorkItemType.class),
                     SecurityUtils.getPrincipalUser().getOid(),
                     getRepositoryService(), getRelationRegistry(), result)
                     .buildFilter();

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/workflow/dto/WorkItemDtoProvider.java

@@ -175,7 +175,7 @@ private ObjectQuery createQuery(OperationResult result) throws SchemaException {
         if (WorkItemsPageType.ALL.equals(workItemsPageType) && authorizedToSeeAll) {
             return q.build();
         } else if (WorkItemsPageType.CLAIMABLE.equals(workItemsPageType)) {
-            return QueryUtils.filterForGroups(q, currentUserOid(), getRepositoryService(), getRelationRegistry(), result).build();
+            return QueryUtils.filterForClaimableItems(q, currentUserOid(), getRepositoryService(), getRelationRegistry(), result).build();
         } else {
             // not authorized to see all => sees only allocated to him (not quite what is expected, but sufficient for the time being)
             return QueryUtils.filterForAssignees(q, SecurityUtils.getPrincipalUser(),

model/workflow-api/src/main/java/com/evolveum/midpoint/wf/util/QueryUtils.java

@@ -16,7 +16,6 @@
 
 package com.evolveum.midpoint.wf.util;
 
-import com.evolveum.midpoint.prism.PrismConstants;
 import com.evolveum.midpoint.prism.PrismReferenceValue;
 import com.evolveum.midpoint.prism.query.builder.S_AtomicFilterExit;
 import com.evolveum.midpoint.prism.query.builder.S_FilterEntryOrEmpty;
@@ -74,10 +73,12 @@ public static S_AtomicFilterExit filterForNotClosedStateAndAssignees(S_FilterEnt
 		}
 	}
 
-	public static S_FilterExit filterForGroups(S_FilterEntryOrEmpty q, String userOid, RepositoryService repositoryService,
+	public static S_FilterExit filterForClaimableItems(S_FilterEntryOrEmpty q, String userOid, RepositoryService repositoryService,
 			RelationRegistry relationRegistry, OperationResult result)
 			throws SchemaException {
-		return q.item(CaseWorkItemType.F_CANDIDATE_REF).ref(getGroupsForUser(userOid, repositoryService, relationRegistry, result));
+		List<PrismReferenceValue> candidates = getCandidatesForUser(userOid, repositoryService, relationRegistry, result);
+		return q.item(CaseWorkItemType.F_CANDIDATE_REF).ref(candidates)
+				.and().item(CaseWorkItemType.F_ASSIGNEE_REF).isNull();
 	}
 
 	private static List<PrismReferenceValue> getPotentialAssigneesForUser(MidPointPrincipal principal,
@@ -94,7 +95,11 @@ private static List<PrismReferenceValue> getPotentialAssigneesForUser(MidPointPr
 		return rv;
 	}
 
-	private static List<PrismReferenceValue> getGroupsForUser(String userOid, RepositoryService repositoryService,
+	/**
+	 * Returns values to look for in candidateRef field. Basically, all the groups a user is member of should be present here.
+	 * The question is what to do if candidateRef points to another user or users. This case is obviously not supported yet.
+	 */
+	private static List<PrismReferenceValue> getCandidatesForUser(String userOid, RepositoryService repositoryService,
 			RelationRegistry relationRegistry, OperationResult result) throws SchemaException {
 		List<PrismReferenceValue> rv = new ArrayList<>();
 		UserType userType;