Forbidden access to activities assigned to other users or already gone, the engine was too much relying on client datas. Warning the engine compile pre-activity code is changed, you need to recompile all interactive activities.

phpgwapi/inc/galaxia_workflow/compiler/activity_pre.php

@@ -8,13 +8,16 @@ if(empty($instance->instanceId)) {
     $instance->getInstance($_REQUEST['iid']);
   } else {
     // defined in lib/Galaxia/config.php
-    galaxia_show_error("No instance indicated");
+    galaxia_show_error(lang("No instance indicated"));
     die;  
   }
 }
 // Set the current user for this activity
 if(isset($GLOBALS['user']) && ($activity->isInteractive()) && !empty($instance->instanceId) && !empty($activity_id)) {
-  $instance->setActivityUser($activity_id,$GLOBALS['user']);
+  if (!$instance->setActivityUser($activity_id,$GLOBALS['user'])){
+     galaxia_show_error(lang("You do not have the right to run this activity anymore, maybe a concurrent access problem, refresh your datas."));
+     die;
+  }
 }
 
 ?>

phpgwapi/inc/galaxia_workflow/compiler/end_pre.php

@@ -8,13 +8,16 @@ if(empty($instance->instanceId)) {
     $instance->getInstance($_REQUEST['iid']);
   } else {
     // defined in lib/Galaxia/config.php
-    galaxia_show_error("No instance indicated");
+    galaxia_show_error(lang("No instance indicated"));
     die;  
   }
 }
 // Set the current user for this activity
 if(isset($GLOBALS['user']) && ($activity->isInteractive()) && !empty($instance->instanceId) && !empty($activity_id)) {
-  $instance->setActivityUser($activity_id,$GLOBALS['user']);
+  if (!$instance->setActivityUser($activity_id,$GLOBALS['user'])){
+     galaxia_show_error(lang("You do not have the right to run this activity anymore, maybe a concurrent access problem, refresh your datas."));
+     die;
+  }
 }
 
 ?>

phpgwapi/inc/galaxia_workflow/compiler/join_pre.php

@@ -8,13 +8,16 @@ if(empty($instance->instanceId)) {
     $instance->getInstance($_REQUEST['iid']);
   } else {
     // defined in lib/Galaxia/config.php
-    galaxia_show_error("No instance indicated");
+    galaxia_show_error(lang("No instance indicated"));
     die;  
   }
 }
 // Set the current user for this activity
 if(isset($GLOBALS['user']) && ($activity->isInteractive()) && !empty($instance->instanceId) && !empty($activity_id)) {
-  $instance->setActivityUser($activity_id,$GLOBALS['user']);
+  if (!$instance->setActivityUser($activity_id,$GLOBALS['user'])){
+     galaxia_show_error(lang("You do not have the right to run this activity anymore, maybe a concurrent access problem, refresh your datas."));
+     die;
+  }
 }
 
 ?>

phpgwapi/inc/galaxia_workflow/compiler/split_pre.php

@@ -8,13 +8,15 @@ if(empty($instance->instanceId)) {
     $instance->getInstance($_REQUEST['iid']);
   } else {
     // defined in lib/Galaxia/config.php
-    galaxia_show_error("No instance indicated");
+    galaxia_show_error(lang("No instance indicated"));
     die;  
   }
 }
 // Set the current user for this activity
 if(isset($GLOBALS['user']) && ($activity->isInteractive()) && !empty($instance->instanceId) && !empty($activity_id)) {
-  $instance->setActivityUser($activity_id,$GLOBALS['user']);
+  if (!$instance->setActivityUser($activity_id,$GLOBALS['user'])){
+     galaxia_show_error(lang("You do not have the right to run this activity anymore, maybe a concurrent access problem, refresh your datas."));
+     die;
+  }
 }
-
 ?>

phpgwapi/inc/galaxia_workflow/compiler/switch_pre.php

@@ -8,13 +8,16 @@ if(empty($instance->instanceId)) {
     $instance->getInstance($_REQUEST['iid']);
   } else {
     // defined in lib/Galaxia/config.php
-    galaxia_show_error("No instance indicated");
+    galaxia_show_error(lang("No instance indicated"));
     die;  
   }
 }
 // Set the current user for this activity
 if(isset($GLOBALS['user']) && ($activity->isInteractive()) && !empty($instance->instanceId) && !empty($activity_id)) {
-  $instance->setActivityUser($activity_id,$GLOBALS['user']);
+  if (!$instance->setActivityUser($activity_id,$GLOBALS['user'])){
+     galaxia_show_error(lang("You do not have the right to run this activity anymore, maybe a concurrent access problem, refresh your datas."));
+     die;
+  }
 }
 
 ?>

phpgwapi/inc/galaxia_workflow/src/API/Instance.php

@@ -203,19 +203,34 @@ class Instance extends Base {
   Sets the user that must execute the activity indicated by the activityId.
   Note that the instance MUST be present in the activity to set the user,
   you can't program who will execute an activity.
+  
+  egw: if the user we set is not * verification is done before the update
+  that the instance has no user setted (or the same one)
+  return false if it was impossible to set the user, it can be because the
+  activity is not avaible anymore for this instance or because another user
+  is already there.
   */
   function setActivityUser($activityId,$theuser) {
     if(empty($theuser)) $theuser='*';
+    $found = false;
     for($i=0;$i<count($this->activities);$i++) {
       if($this->activities[$i]['wf_activity_id']==$activityId) {
-        $this->activities[$i]['wf_user']=$theuser;
+        $found = true;
         $query = "update `".GALAXIA_TABLE_PREFIX."instance_activities` set `wf_user`=? where `wf_activity_id`=? and `wf_instance_id`=?";
-
-        $this->query($query,array($theuser,(int)$activityId,(int)$this->instanceId));
+        $bindvars = array($theuser,(int)$activityId,(int)$this->instanceId);
+        if(!($theuser=='*')) {
+          $query.= "and (`wf_user`=? or `wf_user`=?)";
+          $bindvars[]= $theuser;
+          $bindvars[]= '*';
+        }
+        $this->query($query,$bindvars);
+        if(!$this->db->Affected_Rows()) return false;
+        $this->activities[$i]['wf_user']=$theuser;
       }
-    }  
+    }
+    return $found;
   }
-  
+
   /*!
   Returns the user that must execute or is already executing an activity
   wherethis instance is present.