BZ-1229171 - Any authenticated user can see tasks from other users via Java Remote REST API: NPE fix when cmd user == null

Marco Rietveld · Marco Rietveld · commit 315a0bcc03aa · 2015-07-02T17:49:14.000+02:00
(cherry picked from commit 37c28f6)
diff --git a/kie-remote/kie-remote-client/src/main/java/org/kie/services/client/api/command/AbstractRemoteCommandObject.java b/kie-remote/kie-remote-client/src/main/java/org/kie/services/client/api/command/AbstractRemoteCommandObject.java
@@ -142,8 +142,7 @@ void preprocessCommand( Command cmd ) {
            if( cmdUserId == null ) { 
                taskCmd.setUserId(authUserId);
                logger.debug("Using user id '" + authUserId + "' for '" + cmdName + "'.");
-           }
-           if( ! cmdUserId.equals(authUserId) ) {
+           } else if( ! cmdUserId.equals(authUserId) ) {
               throw new RemoteApiException("The user id used when retrieving task information (" + cmdUserId + ")"
                       + " must match the authenticating user (" + authUserId + ")!");
            }
