Hello,
As discussed some time ago here:
#623
Currently we use Nflow in our production environment and we are quite happy with it. All our interaction with the workflows is taking place using the API so we need a method of protecting against non-permitted state changes. We already had a bug in our frontend software causing problems because a wrong state was forced.
We really want to avoid these situations, and preferably on the Nflow server. Is this something we can add ourselves? I'm willing to create a PR if we agree on a technical solution.
Picking up on our discussion, I am all for configuring this on request level. The most ideal solution would be to distinguish between admin en user requests, but I think that is a bridge too far since Spring security is applied 'at the gate' and currently no role checks are being performed anywhere (from what I can see now). That leaves us with the option to provide a query param to the request, which sounds fine with me.
In the discussion it is mentioned that a check could be performed inside WorkflowInstanceService.wakeupWorkflowInstance(), but shouldn't this check be performed in the WorkflowInstanceService.updateWorkflowInstance() method? This way the client can be directly notified with a bad request.
Regards
Mauro
Hello,
As discussed some time ago here:
#623
Currently we use Nflow in our production environment and we are quite happy with it. All our interaction with the workflows is taking place using the API so we need a method of protecting against non-permitted state changes. We already had a bug in our frontend software causing problems because a wrong state was forced.
We really want to avoid these situations, and preferably on the Nflow server. Is this something we can add ourselves? I'm willing to create a PR if we agree on a technical solution.
Picking up on our discussion, I am all for configuring this on request level. The most ideal solution would be to distinguish between admin en user requests, but I think that is a bridge too far since Spring security is applied 'at the gate' and currently no role checks are being performed anywhere (from what I can see now). That leaves us with the option to provide a query param to the request, which sounds fine with me.
In the discussion it is mentioned that a check could be performed inside WorkflowInstanceService.wakeupWorkflowInstance(), but shouldn't this check be performed in the WorkflowInstanceService.updateWorkflowInstance() method? This way the client can be directly notified with a bad request.
Regards
Mauro