From 316f382a0a727ae395b0f58f6fd0a9defbe53a68 Mon Sep 17 00:00:00 2001 From: Anwar khanfir Date: Mon, 16 Feb 2026 08:29:24 +0100 Subject: [PATCH] Fix: Task creator displays his tasks even if not allowed - MEED-10197 - Meeds-io/meeds#3979 Before this change, task creator can always access his tasks even if he's not allowed to be in case of tasks moved to another project. To fix this problem, in the hasEditPermission method, remove the check from the task creator. After this change, users will no longer be able to access /tasks/taskDetail/TASKID unless they are members of the project. --- .../main/java/org/exoplatform/task/util/TaskUtil.java | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/services/src/main/java/org/exoplatform/task/util/TaskUtil.java b/services/src/main/java/org/exoplatform/task/util/TaskUtil.java index 41c0fd3ca..fcfc9ce1a 100755 --- a/services/src/main/java/org/exoplatform/task/util/TaskUtil.java +++ b/services/src/main/java/org/exoplatform/task/util/TaskUtil.java @@ -633,12 +633,6 @@ public static boolean hasEditPermission(TaskService taskService,TaskDto task) { Identity identity = ConversationState.getCurrent().getIdentity(); String userId = identity.getUserId(); - if ((task.getAssignee() != null && task.getAssignee().equals(identity.getUserId())) || - getCoworker(taskService,task.getId()).contains(userId) || - (task.getCreatedBy() != null && task.getCreatedBy().equals(userId))) { - return true; - } - if (task.getStatus() != null && task.getStatus().getProject() != null) { ProjectDto project = task.getStatus().getProject(); if (project.canView(identity)) { @@ -646,6 +640,11 @@ public static boolean hasEditPermission(TaskService taskService,TaskDto task) { } } + if ((task.getAssignee() != null && task.getAssignee().equals(identity.getUserId())) || + getCoworker(taskService,task.getId()).contains(userId)) { + return true; + } + return UserUtil.isPlatformAdmin(identity); } public static boolean hasEditPermission(TaskService taskService,Task task) {