Hello,
I am working on a Camunda Project and I just found a big vulnerability in it.
Users are able to claim and unclaim tasks. The problem comes after a user unclaims a task, since they are able to use the following REST Call to claim it again:
POST /task/{id}/claim
Body: {“userId”: “someOtherUsersId”}
With this they can specify another user and claim the task for them instead, which is not desirable.
Is there a way to restrict the claim endpoint to only work if the caller of the request is authenticated as the same user specified in the body? At least if that user is not the admin.