TSK-408: APPEND permission is checked in transferTasks.

lib/taskana-core/src/main/java/pro/taskana/impl/TaskServiceImpl.java

@@ -525,7 +525,11 @@ public class TaskServiceImpl implements TaskService {
     }
 
     private BulkOperationResults<String, TaskanaException> transferTasks(List<String> taskIdsToBeTransferred,
-        Workbasket destinationWorkbasket) throws InvalidArgumentException {
+        Workbasket destinationWorkbasket)
+        throws InvalidArgumentException, WorkbasketNotFoundException, NotAuthorizedException {
+
+        workbasketService.checkAuthorization(destinationWorkbasket.getId(), WorkbasketPermission.APPEND);
+
         // Check pre-conditions with trowing Exceptions
         if (taskIdsToBeTransferred == null) {
             throw new InvalidArgumentException("TaskIds must not be null.");

lib/taskana-core/src/test/java/acceptance/security/WorkbasketQueryAccTest.java

@@ -80,7 +80,7 @@ public class WorkbasketQueryAccTest extends AbstractAccTest {
         List<WorkbasketSummary> results = workbasketService.createWorkbasketQuery()
             .nameLike("%")
             .list();
-        Assert.assertEquals(24L, results.size());
+        Assert.assertEquals(25L, results.size());
 
         results = workbasketService.createWorkbasketQuery()
             .nameLike("%")
@@ -101,7 +101,7 @@ public class WorkbasketQueryAccTest extends AbstractAccTest {
         List<WorkbasketSummary> results = workbasketService.createWorkbasketQuery()
             .nameLike("%")
             .list();
-        Assert.assertEquals(24L, results.size());
+        Assert.assertEquals(25L, results.size());
 
         results = workbasketService.createWorkbasketQuery()
             .nameLike("%")

lib/taskana-core/src/test/java/acceptance/task/TransferTaskAccTest.java

@@ -238,6 +238,24 @@ public class TransferTaskAccTest extends AbstractAccTest {
         assertEquals("TEAMLEAD_1", transferredTask.getWorkbasketKey());
     }
 
+    @WithAccessId(userName = "teamlead_1")
+    @Test(expected = NotAuthorizedException.class)
+    public void testBulkTransferTaskWithoutAppendPermissionOnTarget()
+        throws InvalidArgumentException, WorkbasketNotFoundException, TaskNotFoundException, NotAuthorizedException {
+        TaskService taskService = taskanaEngine.getTaskService();
+        ArrayList<String> taskIdList = new ArrayList<>();
+        taskIdList.add("TKI:000000000000000000000000000000000006"); // working
+        taskIdList.add("TKI:000000000000000000000000000000000041"); // NotAuthorized READ
+
+        try {
+            taskService
+                .transferTasks("WBI:100000000000000000000000000000000010", taskIdList);
+        } catch (NotAuthorizedException e) {
+            assertTrue(e.getMessage().contains("APPEND"));
+            throw e;
+        }
+    }
+
     @WithAccessId(
         userName = "teamlead_1",
         groupNames = {"group_1"})

lib/taskana-core/src/test/java/acceptance/workbasket/QueryWorkbasketAccTest.java

@@ -44,7 +44,7 @@ public class QueryWorkbasketAccTest extends AbstractAccTest {
         WorkbasketService workbasketService = taskanaEngine.getWorkbasketService();
         WorkbasketQuery query = workbasketService.createWorkbasketQuery();
         long count = query.count();
-        assertEquals(3, count);
+        assertEquals(4, count);
         List<WorkbasketSummary> workbaskets = query.list();
         assertNotNull(workbaskets);
         assertEquals(count, workbaskets.size());
@@ -61,7 +61,7 @@ public class QueryWorkbasketAccTest extends AbstractAccTest {
         WorkbasketService workbasketService = taskanaEngine.getWorkbasketService();
         WorkbasketQuery query = workbasketService.createWorkbasketQuery();
         long count = query.count();
-        assertTrue(count == 24);
+        assertTrue(count == 25);
         List<WorkbasketSummary> workbaskets = query.list();
         assertNotNull(workbaskets);
         assertEquals(count, workbaskets.size());
@@ -78,7 +78,7 @@ public class QueryWorkbasketAccTest extends AbstractAccTest {
         WorkbasketService workbasketService = taskanaEngine.getWorkbasketService();
         WorkbasketQuery query = workbasketService.createWorkbasketQuery();
         long count = query.count();
-        assertTrue(count == 24);
+        assertTrue(count == 25);
         List<WorkbasketSummary> workbaskets = query.list();
         assertNotNull(workbaskets);
         assertEquals(count, workbaskets.size());
@@ -96,14 +96,14 @@ public class QueryWorkbasketAccTest extends AbstractAccTest {
         List<String> columnValueList = workbasketService.createWorkbasketQuery()
             .listValues("NAME", null);
         assertNotNull(columnValueList);
-        assertEquals(9, columnValueList.size());
+        assertEquals(10, columnValueList.size());
 
         columnValueList = workbasketService.createWorkbasketQuery()
             .nameLike("%korb%")
             .orderByName(asc)
             .listValues("NAME", SortDirection.DESCENDING);  // will override
         assertNotNull(columnValueList);
-        assertEquals(3, columnValueList.size());
+        assertEquals(4, columnValueList.size());
     }
 
     @WithAccessId(
@@ -395,7 +395,7 @@ public class QueryWorkbasketAccTest extends AbstractAccTest {
         List<WorkbasketSummary> results = workbasketService.createWorkbasketQuery()
             .createdWithin(todaysInterval())
             .list();
-        Assert.assertEquals(8L, results.size());
+        Assert.assertEquals(9L, results.size());
     }
 
     @WithAccessId(
@@ -408,7 +408,7 @@ public class QueryWorkbasketAccTest extends AbstractAccTest {
         List<WorkbasketSummary> results = workbasketService.createWorkbasketQuery()
             .modifiedWithin(todaysInterval())
             .list();
-        Assert.assertEquals(8L, results.size());
+        Assert.assertEquals(9L, results.size());
     }
 
     @WithAccessId(
@@ -422,7 +422,7 @@ public class QueryWorkbasketAccTest extends AbstractAccTest {
             .nameLike("%")
             .orderByName(desc)
             .list();
-        Assert.assertEquals(24L, results.size());
+        Assert.assertEquals(25L, results.size());
         // check sort order is correct
         WorkbasketSummary previousSummary = null;
         for (WorkbasketSummary wbSummary : results) {

lib/taskana-core/src/test/java/acceptance/workbasket/QueryWorkbasketAccessItemsAccTest.java

@@ -44,7 +44,7 @@ public class QueryWorkbasketAccessItemsAccTest extends AbstractAccTest {
         List<String> columnValueList = workbasketService.createWorkbasketAccessItemQuery()
             .listValues("WORKBASKET_ID", null);
         assertNotNull(columnValueList);
-        assertEquals(23, columnValueList.size());
+        assertEquals(24, columnValueList.size());
 
         columnValueList = workbasketService.createWorkbasketAccessItemQuery()
             .listValues("ACCESS_ID", null);

lib/taskana-core/src/test/java/acceptance/workbasket/QueryWorkbasketsWithPaginationAccTest.java

@@ -52,7 +52,7 @@ public class QueryWorkbasketsWithPaginationAccTest extends AbstractAccTest {
         List<WorkbasketSummary> results = workbasketService.createWorkbasketQuery()
             .domainIn("DOMAIN_A")
             .list(5, 5);
-        assertThat(results.size(), equalTo(3));
+        assertThat(results.size(), equalTo(4));
     }
 
     @WithAccessId(
@@ -110,7 +110,7 @@ public class QueryWorkbasketsWithPaginationAccTest extends AbstractAccTest {
         results = workbasketService.createWorkbasketQuery()
             .domainIn("DOMAIN_A")
             .listPage(pageNumber, pageSize);
-        assertThat(results.size(), equalTo(8));
+        assertThat(results.size(), equalTo(9));
 
         // Getting last results on multiple pages
         pageNumber = 2;
@@ -118,7 +118,7 @@ public class QueryWorkbasketsWithPaginationAccTest extends AbstractAccTest {
         results = workbasketService.createWorkbasketQuery()
             .domainIn("DOMAIN_A")
             .listPage(pageNumber, pageSize);
-        assertThat(results.size(), equalTo(3));
+        assertThat(results.size(), equalTo(4));
     }
 
     @WithAccessId(
@@ -151,7 +151,7 @@ public class QueryWorkbasketsWithPaginationAccTest extends AbstractAccTest {
         results = workbasketService.createWorkbasketQuery()
             .domainIn("DOMAIN_A")
             .listPage(pageNumber, pageSize);
-        assertThat(results.size(), equalTo(8));
+        assertThat(results.size(), equalTo(9));
     }
 
     /**
@@ -184,7 +184,7 @@ public class QueryWorkbasketsWithPaginationAccTest extends AbstractAccTest {
         long count = workbasketService.createWorkbasketQuery()
             .domainIn("DOMAIN_A")
             .count();
-        assertThat(count, equalTo(8L));
+        assertThat(count, equalTo(9L));
     }
 
     @WithAccessId(
@@ -197,7 +197,7 @@ public class QueryWorkbasketsWithPaginationAccTest extends AbstractAccTest {
         List<WorkbasketSummary> result = workbasketService.createWorkbasketQuery()
             .domainIn("DOMAIN_A")
             .list();
-        assertThat(result.size(), equalTo(8));
+        assertThat(result.size(), equalTo(9));
     }
 
 }

lib/taskana-core/src/test/resources/sql/workbasket-access-list.sql

@@ -27,6 +27,8 @@ INSERT INTO TASKANA.WORKBASKET_ACCESS_LIST VALUES ('WAI:100000000000000000000000
 -- Cross team GPK access
 INSERT INTO TASKANA.WORKBASKET_ACCESS_LIST VALUES ('WAI:100000000000000000000000000000000021', 'WBI:100000000000000000000000000000000001', 'teamlead_1', true, true, true,   true,     true,       true, true, true, true, true, true, true, true, true, true, true, true);
 INSERT INTO TASKANA.WORKBASKET_ACCESS_LIST VALUES ('WAI:100000000000000000000000000000000022', 'WBI:100000000000000000000000000000000001', 'teamlead_2', true, true, true,   true,     true,       true, true, true, true, true, true, true, true, true, true, true, true);
+-- TPK access
+INSERT INTO TASKANA.WORKBASKET_ACCESS_LIST VALUES ('WAI:100000000000000000000000000000000123', 'WBI:100000000000000000000000000000000010', 'teamlead_1', true, false, false,   false,     false,      false, false, false, false, false, false, false, false, false, false, false, false);
 
 -- Access to other domains
 INSERT INTO TASKANA.WORKBASKET_ACCESS_LIST VALUES ('WAI:100000000000000000000000000000000023', 'WBI:100000000000000000000000000000000012',    'group_1', true, false, true,  true,     false,      false, false, false, false, false, false, false, false, false, false, false, false);

lib/taskana-core/src/test/resources/sql/workbasket.sql

@@ -8,6 +8,7 @@ INSERT INTO TASKANA.WORKBASKET VALUES ('WBI:100000000000000000000000000000000006
 INSERT INTO TASKANA.WORKBASKET VALUES ('WBI:100000000000000000000000000000000007', 'USER_1_2', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 'PPK User 2 KSC 1', 'DOMAIN_A', 'PERSONAL', 'PPK User 2 KSC 1', 'Peter Maier', '', '', '', '', 'Versicherung', '', '', '');
 INSERT INTO TASKANA.WORKBASKET VALUES ('WBI:100000000000000000000000000000000008', 'USER_2_1', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 'PPK User 1 KSC 2', 'DOMAIN_A', 'PERSONAL', 'PPK User 1 KSC 2', '', '', '', '', '', '', '', '', '');
 INSERT INTO TASKANA.WORKBASKET VALUES ('WBI:100000000000000000000000000000000009', 'USER_2_2', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 'PPK User 2 KSC 2', 'DOMAIN_A', 'PERSONAL', 'PPK User 2 KSC 2', '', '', '', '', '', '', '', '', '');
+INSERT INTO TASKANA.WORKBASKET VALUES ('WBI:100000000000000000000000000000000010', 'TPK_VIP', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 'Themenpostkorb VIP', 'DOMAIN_A', 'TOPIC', 'Themenpostkorb VIP', '', '', '', '', '', '', '', '', '');
 
 -- KSC workbaskets Domain_B
 INSERT INTO TASKANA.WORKBASKET VALUES ('WBI:100000000000000000000000000000000011', 'GPK_B_KSC', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 'Gruppenpostkorb KSC B', 'DOMAIN_B', 'GROUP', 'Gruppenpostkorb KSC', '', '', '', '', '', '', '', '', '');