Should Task Completion Restrictions Be Enforced by the Client When Using Camunda 8 Tasklist API?

tlmouden · May 6, 2025, 12:31pm

Hi all,

I’m working with the Camunda 8 Tasklist API and using the endpoint:

POST http://localhost:8088/v2/user-tasks/{{id}}/completion

I noticed that I can complete any user task using this API without any form of authorization tied to the task. Specifically:

The request doesn’t require any information about who is completing the task.
It allows completion even if the task is assigned to someone else.

This raises a few questions:

Is this the expected behavior of the Tasklist API in Camunda 8?
Does Camunda itself not enforce task ownership or assignment checks at the API level?
Should I, as a client, manually check the task’s assignee via the API before completing it and enforce the restriction in my application code?

I want to make sure I’m not missing any built-in mechanism or best practice. Any guidance would be appreciated!

Thanks in advance!

nathan.loding · May 6, 2025, 2:28pm

Hi @tlmouden, welcome to the forum! The short answer is yes, this is currently by design. We consider those concerns to be part of the task application, and want to ensure we give all customers the flexibility they need to consume user tasks as needed for their workflows. Not everyone requires the same rules that Tasklist is built on. It is a delicate dance, because of course we don’t want to force additional extra work for customers wanting to build their own task applications. Feedback is always welcome!

tlmouden · May 6, 2025, 2:47pm

Thank you so much for your reply! I appreciate it.

system · May 13, 2025, 2:47pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.