add REST API interceptors for handling more diverse permissions (identity links, variables, conditional events)

modules/flowable-cmmn-rest/src/main/java/org/flowable/cmmn/rest/service/api/CmmnRestApiInterceptor.java

@@ -13,6 +13,7 @@
 package org.flowable.cmmn.rest.service.api;
 
 import java.util.Collection;
+import java.util.Map;
 
 import org.flowable.cmmn.api.history.HistoricCaseInstance;
 import org.flowable.cmmn.api.history.HistoricCaseInstanceQuery;
@@ -32,6 +33,8 @@
 import org.flowable.cmmn.api.runtime.PlanItemInstance;
 import org.flowable.cmmn.api.runtime.PlanItemInstanceQuery;
 import org.flowable.cmmn.api.runtime.VariableInstanceQuery;
+import org.flowable.cmmn.rest.service.api.engine.RestIdentityLink;
+import org.flowable.cmmn.rest.service.api.engine.variable.RestVariable;
 import org.flowable.cmmn.rest.service.api.history.caze.HistoricCaseInstanceQueryRequest;
 import org.flowable.cmmn.rest.service.api.history.milestone.HistoricMilestoneInstanceQueryRequest;
 import org.flowable.cmmn.rest.service.api.history.planitem.HistoricPlanItemInstanceQueryRequest;
@@ -49,6 +52,7 @@
 import org.flowable.cmmn.rest.service.api.runtime.variable.VariableInstanceQueryRequest;
 import org.flowable.eventsubscription.api.EventSubscription;
 import org.flowable.eventsubscription.api.EventSubscriptionQuery;
+import org.flowable.identitylink.api.IdentityLink;
 import org.flowable.job.api.DeadLetterJobQuery;
 import org.flowable.job.api.HistoryJob;
 import org.flowable.job.api.HistoryJobQuery;
@@ -78,6 +82,20 @@ public interface CmmnRestApiInterceptor {
     void deleteTask(Task task);
 
     void executeTaskAction(Task task, TaskActionRequest actionRequest);
+
+    void createTaskVariables(Task task, Map<String, Object> variables, RestVariable.RestVariableScope scope);
+
+    void updateTaskVariables(Task task, Map<String, Object> variables, RestVariable.RestVariableScope scope);
+
+    void deleteTaskVariables(Task task, Collection<String> variableNames, RestVariable.RestVariableScope scope);
+
+    void accessTaskIdentityLinks(Task task);
+
+    void accessTaskIdentityLink(Task task, IdentityLink identityLink);
+
+    void deleteTaskIdentityLink(Task task, IdentityLink identityLink);
+
+    void createTaskIdentityLink(Task task, RestIdentityLink identityLink);
 
     void accessCaseInstanceInfoById(CaseInstance caseInstance);
 
@@ -96,7 +114,21 @@ public interface CmmnRestApiInterceptor {
     void doCaseInstanceAction(CaseInstance caseInstance, RestActionRequest actionRequest);
 
     void updateCaseInstance(CaseInstance caseInstance, CaseInstanceUpdateRequest updateRequest);
+
+    void createCaseInstanceVariables(CaseInstance caseInstance, Map<String, Object> variables);
+
+    void updateCaseInstanceVariables(CaseInstance caseInstance, Map<String, Object> variables);
+
+    void deleteCaseInstanceVariables(CaseInstance caseInstance, Collection<String> variableNames);
 
+    void accessCaseInstanceIdentityLinks(CaseInstance caseInstance);
+
+    void accessCaseInstanceIdentityLink(CaseInstance caseInstance, IdentityLink identityLink);
+
+    void deleteCaseInstanceIdentityLink(CaseInstance caseInstance, IdentityLink identityLink);
+
+    void createCaseInstanceIdentityLink(CaseInstance caseInstance, RestIdentityLink identityLink);
+
     void accessPlanItemInstanceInfoById(PlanItemInstance planItemInstance);
 
     void accessPlanItemInstanceInfoWithQuery(PlanItemInstanceQuery planItemInstanceQuery, PlanItemInstanceQueryRequest request);
@@ -108,6 +140,14 @@ public interface CmmnRestApiInterceptor {
     void accessVariableInfoWithQuery(VariableInstanceQuery variableInstanceQuery, VariableInstanceQueryRequest request);
 
     void accessCaseDefinitionById(CaseDefinition caseDefinition);
+
+    void accessCaseDefinitionIdentityLinks(CaseDefinition caseDefinition);
+
+    void accessCaseDefinitionIdentityLink(CaseDefinition caseDefinition, IdentityLink identityLink);
+
+    void deleteCaseDefinitionIdentityLink(CaseDefinition caseDefinition, IdentityLink identityLink);
+
+    void createCaseDefinitionIdentityLink(CaseDefinition caseDefinition, RestIdentityLink identityLink);
 
     void accessCaseDefinitionsWithQuery(CaseDefinitionQuery caseDefinitionQuery);
 
@@ -156,12 +196,16 @@ public interface CmmnRestApiInterceptor {
     void accessHistoryTaskInfoWithQuery(HistoricTaskInstanceQuery historicTaskInstanceQuery, HistoricTaskInstanceQueryRequest request);
 
     void deleteHistoricTask(HistoricTaskInstance historicTaskInstance);
+
+    void accessHistoricTaskIdentityLinks(HistoricTaskInstance historicTaskInstance);
 
     void accessHistoryCaseInfoById(HistoricCaseInstance historicCaseInstance);
 
     void accessHistoryCaseInfoWithQuery(HistoricCaseInstanceQuery historicCaseInstanceQuery, HistoricCaseInstanceQueryRequest request);
 
     void deleteHistoricCase(HistoricCaseInstance historicCaseInstance);
+
+    void accessHistoricCaseIdentityLinks(HistoricCaseInstance historicCaseInstance);
 
     void bulkDeleteHistoricCases(Collection<String> instanceIds);
 

modules/flowable-cmmn-rest/src/main/java/org/flowable/cmmn/rest/service/api/history/caze/HistoricCaseInstanceBaseResource.java

@@ -217,11 +217,17 @@ protected DataResponse<HistoricCaseInstanceResponse> getQueryResponse(HistoricCa
         return responseList;
     }
 
-    protected HistoricCaseInstance getHistoricCaseInstanceFromRequest(String caseInstanceId) {
+    protected HistoricCaseInstance getHistoricCaseInstanceFromRequestWithoutAccessCheck(String caseInstanceId) {
         HistoricCaseInstance caseInstance = historyService.createHistoricCaseInstanceQuery().caseInstanceId(caseInstanceId).singleResult();
         if (caseInstance == null) {
             throw new FlowableObjectNotFoundException("Could not find a case instance with id '" + caseInstanceId + "'.", HistoricCaseInstance.class);
         }
+
+        return caseInstance;
+    }
+
+    protected HistoricCaseInstance getHistoricCaseInstanceFromRequestWithAccessCheck(String caseInstanceId) {
+        HistoricCaseInstance caseInstance = getHistoricCaseInstanceFromRequestWithoutAccessCheck(caseInstanceId);
 
         if (restApiInterceptor != null) {
             restApiInterceptor.accessHistoryCaseInfoById(caseInstance);

modules/flowable-cmmn-rest/src/main/java/org/flowable/cmmn/rest/service/api/history/caze/HistoricCaseInstanceIdentityLinkCollectionResource.java

@@ -54,7 +54,11 @@ public class HistoricCaseInstanceIdentityLinkCollectionResource extends Historic
             @ApiResponse(code = 404, message = "Indicates the process instance could not be found..") })
     @GetMapping(value = "/cmmn-history/historic-case-instances/{caseInstanceId}/identitylinks", produces = "application/json")
     public List<HistoricIdentityLinkResponse> getCaseIdentityLinks(@ApiParam(name = "caseInstanceId") @PathVariable String caseInstanceId, HttpServletRequest request) {
-        HistoricCaseInstance caseInstance = getHistoricCaseInstanceFromRequest(caseInstanceId);
+        HistoricCaseInstance caseInstance = getHistoricCaseInstanceFromRequestWithoutAccessCheck(caseInstanceId);
+
+        if (restApiInterceptor != null) {
+            restApiInterceptor.accessHistoricCaseIdentityLinks(caseInstance);
+        }
 
         List<HistoricIdentityLink> identityLinks = historyService.getHistoricIdentityLinksForCaseInstance(caseInstance.getId());
 

modules/flowable-cmmn-rest/src/main/java/org/flowable/cmmn/rest/service/api/history/caze/HistoricCaseInstanceResource.java

@@ -68,7 +68,8 @@ public class HistoricCaseInstanceResource extends HistoricCaseInstanceBaseResour
             @ApiResponse(code = 404, message = "Indicates that the historic process instances could not be found.") })
     @GetMapping(value = "/cmmn-history/historic-case-instances/{caseInstanceId}", produces = "application/json")
     public HistoricCaseInstanceResponse getCaseInstance(@ApiParam(name = "caseInstanceId") @PathVariable String caseInstanceId) {
-        HistoricCaseInstanceResponse caseInstanceResponse = restResponseFactory.createHistoricCaseInstanceResponse(getHistoricCaseInstanceFromRequest(caseInstanceId));
+        HistoricCaseInstanceResponse caseInstanceResponse = restResponseFactory.createHistoricCaseInstanceResponse(
+                getHistoricCaseInstanceFromRequestWithAccessCheck(caseInstanceId));
 
         CaseDefinition caseDefinition = cmmnRepositoryService.createCaseDefinitionQuery().caseDefinitionId(caseInstanceResponse.getCaseDefinitionId()).singleResult();
         if (caseDefinition != null) {
@@ -85,7 +86,7 @@ public HistoricCaseInstanceResponse getCaseInstance(@ApiParam(name = "caseInstan
             @ApiResponse(code = 404, message = "Indicates that the historic process instance could not be found.") })
     @DeleteMapping(value = "/cmmn-history/historic-case-instances/{caseInstanceId}")
     public void deleteCaseInstance(@ApiParam(name = "caseInstanceId") @PathVariable String caseInstanceId, HttpServletResponse response) {
-        HistoricCaseInstance caseInstance = getHistoricCaseInstanceFromRequest(caseInstanceId);
+        HistoricCaseInstance caseInstance = getHistoricCaseInstanceFromRequestWithoutAccessCheck(caseInstanceId);
         if (restApiInterceptor != null) {
             restApiInterceptor.deleteHistoricCase(caseInstance);
         }
@@ -96,7 +97,7 @@ public void deleteCaseInstance(@ApiParam(name = "caseInstanceId") @PathVariable
 
     @GetMapping(value = "/cmmn-history/historic-case-instances/{caseInstanceId}/stage-overview", produces = "application/json")
     public List<StageResponse> getStageOverview(@ApiParam(name = "caseInstanceId") @PathVariable String caseInstanceId) {
-        HistoricCaseInstance caseInstance = getHistoricCaseInstanceFromRequest(caseInstanceId);
+        HistoricCaseInstance caseInstance = getHistoricCaseInstanceFromRequestWithAccessCheck(caseInstanceId);
 
         return cmmnhistoryService.getStageOverview(caseInstance.getId());
     }

modules/flowable-cmmn-rest/src/main/java/org/flowable/cmmn/rest/service/api/history/caze/HistoricCaseInstanceVariableDataResource.java

@@ -90,7 +90,7 @@ public byte[] getVariableData(@ApiParam(name = "caseInstanceId") @PathVariable("
     }
 
     public RestVariable getVariableFromRequest(boolean includeBinary, String caseInstanceId, String variableName, HttpServletRequest request) {
-        HistoricCaseInstance caseObject = getHistoricCaseInstanceFromRequest(caseInstanceId);
+        HistoricCaseInstance caseObject = getHistoricCaseInstanceFromRequestWithAccessCheck(caseInstanceId);
 
         HistoricVariableInstance variable = historyService.createHistoricVariableInstanceQuery()
                         .caseInstanceId(caseObject.getId())

modules/flowable-cmmn-rest/src/main/java/org/flowable/cmmn/rest/service/api/history/task/HistoricTaskInstanceBaseResource.java

@@ -278,11 +278,25 @@ protected DataResponse<HistoricTaskInstanceResponse> getQueryResponse(HistoricTa
             restResponseFactory::createHistoricTaskInstanceResponseList);
     }
 
-    protected HistoricTaskInstance getHistoricTaskInstanceFromRequest(String taskId) {
+    /**
+     * Returns the {@link HistoricTaskInstance} that is requested without calling the access interceptor
+     * Throws the right exceptions when bad request was made or instance was not found.
+     */
+    protected HistoricTaskInstance getHistoricTaskInstanceFromRequestWithoutAccessCheck(String taskId) {
         HistoricTaskInstance taskInstance = historyService.createHistoricTaskInstanceQuery().taskId(taskId).singleResult();
         if (taskInstance == null) {
             throw new FlowableObjectNotFoundException("Could not find a task instance with id '" + taskId + "'.", HistoricTaskInstance.class);
         }
+
+        return taskInstance;
+    }
+
+    /**
+     * Returns the {@link HistoricTaskInstance} that is requested and calls the access interceptor.
+     * Throws the right exceptions when bad request was made or instance was not found.
+     */
+    protected HistoricTaskInstance getHistoricTaskInstanceFromRequestWithAccessCheck(String taskId) {
+        HistoricTaskInstance taskInstance = getHistoricTaskInstanceFromRequestWithoutAccessCheck(taskId);
 
         if (restApiInterceptor != null) {
             restApiInterceptor.accessHistoryTaskInfoById(taskInstance);

modules/flowable-cmmn-rest/src/main/java/org/flowable/cmmn/rest/service/api/history/task/HistoricTaskInstanceIdentityLinkCollectionResource.java

@@ -53,7 +53,11 @@ public class HistoricTaskInstanceIdentityLinkCollectionResource extends Historic
             @ApiResponse(code = 404, message = "Indicates the task instance could not be found.") })
     @GetMapping(value = "/cmmn-history/historic-task-instances/{taskId}/identitylinks", produces = "application/json")
     public List<HistoricIdentityLinkResponse> getTaskIdentityLinks(@ApiParam(name = "taskId") @PathVariable String taskId, HttpServletRequest request) {
-        HistoricTaskInstance task = getHistoricTaskInstanceFromRequest(taskId);
+        HistoricTaskInstance task = getHistoricTaskInstanceFromRequestWithoutAccessCheck(taskId);
+
+        if (restApiInterceptor != null) {
+            restApiInterceptor.accessHistoricTaskIdentityLinks(task);
+        }
 
         List<HistoricIdentityLink> identityLinks = historyService.getHistoricIdentityLinksForTask(task.getId());
 

modules/flowable-cmmn-rest/src/main/java/org/flowable/cmmn/rest/service/api/history/task/HistoricTaskInstanceResource.java

@@ -65,7 +65,7 @@ public class HistoricTaskInstanceResource extends HistoricTaskInstanceBaseResour
             @ApiResponse(code = 404, message = "Indicates that the historic task instances could not be found.") })
     @GetMapping(value = "/cmmn-history/historic-task-instances/{taskId}", produces = "application/json")
     public HistoricTaskInstanceResponse getTaskInstance(@ApiParam(name = "taskId") @PathVariable String taskId, HttpServletRequest request) {
-        return restResponseFactory.createHistoricTaskInstanceResponse(getHistoricTaskInstanceFromRequest(taskId));
+        return restResponseFactory.createHistoricTaskInstanceResponse(getHistoricTaskInstanceFromRequestWithAccessCheck(taskId));
     }
 
     @ApiOperation(value = "Delete a historic task instance", tags = { "History Task" }, notes = "")
@@ -74,7 +74,7 @@ public HistoricTaskInstanceResponse getTaskInstance(@ApiParam(name = "taskId") @
             @ApiResponse(code = 404, message = "Indicates that the historic task instance could not be found.") })
     @DeleteMapping(value = "/cmmn-history/historic-task-instances/{taskId}")
     public void deleteTaskInstance(@ApiParam(name = "taskId") @PathVariable String taskId, HttpServletResponse response) {
-        HistoricTaskInstance task = getHistoricTaskInstanceFromRequest(taskId);
+        HistoricTaskInstance task = getHistoricTaskInstanceFromRequestWithoutAccessCheck(taskId);
 
         if (restApiInterceptor != null) {
             restApiInterceptor.deleteHistoricTask(task);
@@ -91,7 +91,7 @@ public void deleteTaskInstance(@ApiParam(name = "taskId") @PathVariable String t
     })
     @GetMapping(value = "/cmmn-history/historic-task-instances/{taskId}/form", produces = "application/json")
     public String getTaskForm(@ApiParam(name = "taskId") @PathVariable String taskId, HttpServletRequest request) {
-        HistoricTaskInstance task = getHistoricTaskInstanceFromRequest(taskId);
+        HistoricTaskInstance task = getHistoricTaskInstanceFromRequestWithAccessCheck(taskId);
         if (StringUtils.isEmpty(task.getFormKey())) {
             throw new FlowableIllegalArgumentException("Task has no form defined");
         }

modules/flowable-cmmn-rest/src/main/java/org/flowable/cmmn/rest/service/api/repository/BaseCaseDefinitionResource.java

@@ -35,14 +35,25 @@ public class BaseCaseDefinitionResource {
     protected CmmnRestApiInterceptor restApiInterceptor;
 
     /**
-     * Returns the {@link CaseDefinition} that is requested. Throws the right exceptions when bad request was made or definition was not found.
+     * Returns the {@link CaseDefinition} that is requested without calling the access interceptor
+     * Throws the right exceptions when bad request was made or definition was not found.
      */
-    protected CaseDefinition getCaseDefinitionFromRequest(String caseDefinitionId) {
+    protected CaseDefinition getCaseDefinitionFromRequestWithoutAccessCheck(String caseDefinitionId) {
         CaseDefinition caseDefinition = repositoryService.getCaseDefinition(caseDefinitionId);
 
         if (caseDefinition == null) {
             throw new FlowableObjectNotFoundException("Could not find a case definition with id '" + caseDefinitionId + "'.", CaseDefinition.class);
         }
+
+        return caseDefinition;
+    }
+
+    /**
+     * Returns the {@link CaseDefinition} that is requested and calls the access interceptor.
+     * Throws the right exceptions when bad request was made or definition was not found.
+     */
+    protected CaseDefinition getCaseDefinitionFromRequestWithAccessCheck(String caseDefinitionId) {
+        CaseDefinition caseDefinition = getCaseDefinitionFromRequestWithoutAccessCheck(caseDefinitionId);
 
         if (restApiInterceptor != null) {
             restApiInterceptor.accessCaseDefinitionById(caseDefinition);

modules/flowable-cmmn-rest/src/main/java/org/flowable/cmmn/rest/service/api/repository/CaseDefinitionDecisionCollectionResource.java

@@ -46,7 +46,7 @@ public List<DecisionResponse> getDecisionsForCaseDefinition(
         @ApiParam(name = "caseDefinitionId") @PathVariable String caseDefinitionId,
         HttpServletRequest request) {
 
-        CaseDefinition caseDefinition = getCaseDefinitionFromRequest(caseDefinitionId);
+        CaseDefinition caseDefinition = getCaseDefinitionFromRequestWithAccessCheck(caseDefinitionId);
         List<DmnDecision> decisions = repositoryService.getDecisionsForCaseDefinition(caseDefinition.getId());
 
         return restResponseFactory.createDecisionResponseList(decisions, caseDefinitionId);

modules/flowable-cmmn-rest/src/main/java/org/flowable/cmmn/rest/service/api/repository/CaseDefinitionFormDefinitionCollectionResource.java

@@ -46,7 +46,7 @@ public List<FormDefinitionResponse> getFormDefinitionsForCaseDefinition(
             @ApiParam(name = "caseDefinitionId") @PathVariable String caseDefinitionId,
             HttpServletRequest request) {
 
-        CaseDefinition caseDefinition = getCaseDefinitionFromRequest(caseDefinitionId);
+        CaseDefinition caseDefinition = getCaseDefinitionFromRequestWithAccessCheck(caseDefinitionId);
         List<FormDefinition> formDefinitions = repositoryService.getFormDefinitionsForCaseDefinition(caseDefinition.getId());
 
         return restResponseFactory.createFormDefinitionResponseList(formDefinitions, caseDefinitionId);

modules/flowable-cmmn-rest/src/main/java/org/flowable/cmmn/rest/service/api/repository/CaseDefinitionIdentityLinkCollectionResource.java

@@ -50,7 +50,12 @@ public class CaseDefinitionIdentityLinkCollectionResource extends BaseCaseDefini
     })
     @GetMapping(value = "/cmmn-repository/case-definitions/{caseDefinitionId}/identitylinks", produces = "application/json")
     public List<RestIdentityLink> getIdentityLinks(@ApiParam(name = "caseDefinitionId") @PathVariable String caseDefinitionId, HttpServletRequest request) {
-        CaseDefinition caseDefinition = getCaseDefinitionFromRequest(caseDefinitionId);
+        CaseDefinition caseDefinition = getCaseDefinitionFromRequestWithoutAccessCheck(caseDefinitionId);
+
+        if (restApiInterceptor != null) {
+            restApiInterceptor.accessCaseDefinitionIdentityLinks(caseDefinition);
+        }
+
         return restResponseFactory.createRestIdentityLinks(repositoryService.getIdentityLinksForCaseDefinition(caseDefinition.getId()));
     }
 
@@ -64,7 +69,7 @@ public List<RestIdentityLink> getIdentityLinks(@ApiParam(name = "caseDefinitionI
     @PostMapping(value = "/cmmn-repository/case-definitions/{caseDefinitionId}/identitylinks", produces = "application/json")
     public RestIdentityLink createIdentityLink(@ApiParam(name = "caseDefinitionId") @PathVariable String caseDefinitionId, @RequestBody RestIdentityLink identityLink, HttpServletRequest request, HttpServletResponse response) {
 
-        CaseDefinition caseDefinition = getCaseDefinitionFromRequest(caseDefinitionId);
+        CaseDefinition caseDefinition = getCaseDefinitionFromRequestWithoutAccessCheck(caseDefinitionId);
 
         if (identityLink.getGroup() == null && identityLink.getUser() == null) {
             throw new FlowableIllegalArgumentException("A group or a user is required to create an identity link.");
@@ -74,6 +79,10 @@ public RestIdentityLink createIdentityLink(@ApiParam(name = "caseDefinitionId")
             throw new FlowableIllegalArgumentException("Only one of user or group can be used to create an identity link.");
         }
 
+        if (restApiInterceptor != null) {
+            restApiInterceptor.createCaseDefinitionIdentityLink(caseDefinition, identityLink);
+        }
+
         if (identityLink.getGroup() != null) {
             repositoryService.addCandidateStarterGroup(caseDefinition.getId(), identityLink.getGroup());
         } else {