Skip to content

[NAE-2389] Actor ref resolution does not includes realmId#421

Open
renczesstefan wants to merge 2 commits intorelease/7.0.0-rev10from
NAE-2389
Open

[NAE-2389] Actor ref resolution does not includes realmId#421
renczesstefan wants to merge 2 commits intorelease/7.0.0-rev10from
NAE-2389

Conversation

@renczesstefan
Copy link
Member

@renczesstefan renczesstefan commented Mar 6, 2026
edited by coderabbitai bot
Loading

Description

Added realmId inclusion when searching for user at resolving actor permission on cases and tasks.

Fixes NAE-2389

Dependencies

No new dependencies were introduced

Third party dependencies

No new dependencies were introduced

Blocking Pull requests

There are no dependencies on other PR

How Has Been This Tested?

This was tested manually and with unit tests.

Test Configuration

Name Tested on
OS macOS Tahoe 26.3
Runtime Java 21
Dependency Manager Maven 3.9.9n
Framework version Spring Boot 3.4.4
Run parameters
Other configuration

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • My changes have been checked, personally or remotely, with @machacjozef
  • I have commented my code, particularly in hard-to-understand areas
  • I have resolved all conflicts with the target branch of the PR
  • I have updated and synced my code with the target branch
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing tests pass locally with my changes:
    • Lint test
    • Unit tests
    • Integration tests
  • I have checked my contribution with code analysis tools:
  • I have made corresponding changes to the documentation:
    • Developer documentation
    • User Guides
    • Migration Guides

Summary by CodeRabbit

  • Refactor
    • Improved internal actor existence checks for more reliable resolution of users and groups (including realm-aware lookups).
    • No changes to public behavior or APIs; this simplifies internal logic while preserving existing functionality.

@renczesstefan
[NAE-2389] Actor ref resolution does not includes realmId
267ff2e 
Moved the logic for validating actor existence into a dedicated `actorExists` method to improve code readability and reduce duplication. This change was applied to both `WorkflowService` and `TaskService` for consistency.
@renczesstefan renczesstefan self-assigned this Mar 6, 2026
@coderabbitai
Copy link

coderabbitai bot commented Mar 6, 2026
edited
Loading

Walkthrough

Extracts inline actor existence checks into a new private helper method actorExists(ActorFieldValue) in TaskService and WorkflowService; the helper performs realm-aware user lookup then group lookup, and getExistingActors() now filters via this helper. No public signatures changed.

Changes

Cohort / File(s) Summary
Actor existence refactor
application-engine/src/main/java/com/netgrif/application/engine/workflow/service/TaskService.java, application-engine/src/main/java/com/netgrif/application/engine/workflow/service/WorkflowService.java		 Added private actorExists(ActorFieldValue) to centralize existence checks (user lookup with actorFieldValue.getRealmId() then group lookup). Replaced inline stream filter logic in getExistingActors() with the new helper. Minor Javadoc whitespace adjustment in WorkflowService.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly addresses the main change: integrating realmId into actor reference resolution during permission checks, which matches the core refactoring across TaskService and WorkflowService.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Retoocs
Retoocs previously approved these changes Mar 6, 2026
View reviewed changes
@coderabbitai coderabbitai bot added bugfix A change that fixes a bug Medium Small labels Mar 6, 2026
coderabbitai[bot]
coderabbitai bot requested changes Mar 6, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@application-engine/src/main/java/com/netgrif/application/engine/workflow/service/WorkflowService.java`:
- Around line 285-296: The actorExists method should defensively check that
actorFieldValue.getId() is not null or empty before calling userService.findById
or groupService.findById; update the actorExists(ActorFieldValue) implementation
to return false immediately when actorFieldValue.getId() is null/blank, then
proceed to call userService.findById(actorFieldValue.getId(),
actorFieldValue.getRealmId()) and fallback to
groupService.findById(actorFieldValue.getId()) as before (catching
IllegalArgumentException).
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: adeab910-3f18-4072-ab2a-2f36a4c2a426

📥 Commits

Reviewing files that changed from the base of the PR and between fe97154 and 267ff2e.

📒 Files selected for processing (2)
  • application-engine/src/main/java/com/netgrif/application/engine/workflow/service/TaskService.java
  • application-engine/src/main/java/com/netgrif/application/engine/workflow/service/WorkflowService.java

tuplle
tuplle previously approved these changes Mar 6, 2026
View reviewed changes
@renczesstefan
Handle null checks for actorFieldValue in actorExists method
c68380b 
Added null checks for actorFieldValue and its ID in actorExists methods of WorkflowService and TaskService. This prevents potential NullPointerExceptions and ensures robustness in cases where invalid or null input is provided.
@renczesstefan renczesstefan dismissed stale reviews from tuplle and Retoocs via c68380b March 6, 2026 11:41
coderabbitai[bot]
coderabbitai bot requested changes Mar 6, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
application-engine/src/main/java/com/netgrif/application/engine/workflow/service/WorkflowService.java (1)

285-299: ⚠️ Potential issue | 🟠 Major

Guard malformed actor IDs before the user lookup.

Line 289 still assumes every non-null id is a valid user ObjectId. In nae-user-ce/src/main/java/com/netgrif/application/engine/auth/service/UserServiceImpl.java:339-344, findById(id, realmId) constructs new ObjectId(id), so blank or malformed ids will throw before the group fallback runs. This should stay a soft false during actor filtering, not break case resolution.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@application-engine/src/main/java/com/netgrif/application/engine/workflow/service/WorkflowService.java`
around lines 285 - 299, actorExists currently calls userService.findById with
any non-null id which can throw on malformed ObjectId; fix by validating the id
before the user lookup: in actorExists(ActorFieldValue) first check
actorFieldValue.getId() is not blank and ObjectId.isValid(id) (or equivalent
try-new-ObjectId wrapper) and only then call userService.findById; if the id is
not a valid ObjectId, skip the userService call and fall back to the existing
groupService.findById try/catch so malformed or blank ids return false without
throwing.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@application-engine/src/main/java/com/netgrif/application/engine/workflow/service/TaskService.java`:
- Around line 867-881: actorExists currently calls userService.findById(...)
which can throw IllegalArgumentException for blank/malformed ids and abort
resolution; update actorExists to treat null/blank actorFieldValue.getId() as
missing, wrap the userService.findById(...) call in a try/catch that catches
IllegalArgumentException and treats it like a non-existent user, then only if
the user lookup fails proceed to try groupService.findById(...) (also swallowing
IllegalArgumentException similarly) so a bad actor id is filtered out rather
than causing the whole resolution to fail; refer to the actorExists method and
the userService.findById and groupService.findById calls when making the change.

---

Duplicate comments:
In
`@application-engine/src/main/java/com/netgrif/application/engine/workflow/service/WorkflowService.java`:
- Around line 285-299: actorExists currently calls userService.findById with any
non-null id which can throw on malformed ObjectId; fix by validating the id
before the user lookup: in actorExists(ActorFieldValue) first check
actorFieldValue.getId() is not blank and ObjectId.isValid(id) (or equivalent
try-new-ObjectId wrapper) and only then call userService.findById; if the id is
not a valid ObjectId, skip the userService call and fall back to the existing
groupService.findById try/catch so malformed or blank ids return false without
throwing.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6209912c-9833-4a44-b843-37b9896e3aa3

📥 Commits

Reviewing files that changed from the base of the PR and between 267ff2e and c68380b.

📒 Files selected for processing (2)
  • application-engine/src/main/java/com/netgrif/application/engine/workflow/service/TaskService.java
  • application-engine/src/main/java/com/netgrif/application/engine/workflow/service/WorkflowService.java

...cation-engine/src/main/java/com/netgrif/application/engine/workflow/service/TaskService.java
Comment on lines +867 to +881
private boolean actorExists(ActorFieldValue actorFieldValue) {
if (actorFieldValue == null || actorFieldValue.getId() == null) {
return false;
}
AbstractUser user = userService.findById(actorFieldValue.getId(), actorFieldValue.getRealmId());
if (user != null) {
return true;
}
try {
groupService.findById(actorFieldValue.getId());
return true;
} catch (IllegalArgumentException ignored) {
return false;
}
}
Copy link

@coderabbitai coderabbitai bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Catch invalid user IDs here instead of aborting task resolution.

Line 871 can still throw on blank or malformed ids because userService.findById(...) builds an ObjectId internally. That means one bad actor entry can fail the whole resolution path instead of being filtered out. Treat blank ids as missing and swallow IllegalArgumentException from the user lookup before falling back to groups.

Proposed fix 
 private boolean actorExists(ActorFieldValue actorFieldValue) {
-    if (actorFieldValue == null || actorFieldValue.getId() == null) {
+    if (actorFieldValue == null || actorFieldValue.getId() == null || actorFieldValue.getId().isBlank()) {
         return false;
     }
-    AbstractUser user = userService.findById(actorFieldValue.getId(), actorFieldValue.getRealmId());
-    if (user != null) {
-        return true;
+    try {
+        AbstractUser user = userService.findById(actorFieldValue.getId(), actorFieldValue.getRealmId());
+        if (user != null) {
+            return true;
+        }
+    } catch (IllegalArgumentException ignored) {
+        // Not a valid user id, continue with group lookup.
     }
     try {
         groupService.findById(actorFieldValue.getId());
         return true;
     } catch (IllegalArgumentException ignored) {
         return false;
     }
 }
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@application-engine/src/main/java/com/netgrif/application/engine/workflow/service/TaskService.java`
around lines 867 - 881, actorExists currently calls userService.findById(...)
which can throw IllegalArgumentException for blank/malformed ids and abort
resolution; update actorExists to treat null/blank actorFieldValue.getId() as
missing, wrap the userService.findById(...) call in a try/catch that catches
IllegalArgumentException and treats it like a non-existent user, then only if
the user lookup fails proceed to try groupService.findById(...) (also swallowing
IllegalArgumentException similarly) so a bad actor id is filtered out rather
than causing the whole resolution to fail; refer to the actorExists method and
the userService.findById and groupService.findById calls when making the change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] requested changes

@Retoocs Retoocs Retoocs left review comments

@tuplle tuplle tuplle left review comments

@machacjozef machacjozef Awaiting requested review from machacjozef

Requested changes must be addressed to merge this pull request.

Assignees

@renczesstefan renczesstefan

Labels

bugfix A change that fixes a bug Medium Small

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@renczesstefan @Retoocs @tuplle