[bug-fix] Permission revoked approver can still perform workflow approval tasks

[NutharaNR]

Purpose

Update pending approval task corresponding to the workflow, when the flow is updated.

Approach

For each pending state request under the changed workflow, check whether the workflow changes have affected the current state of the request. If affected:

• READY state requests are removed and recreated according to new workflow configs.
• RESERVED / BLOCKED state requests are checked for the eligibility to have the same state under the new configs. And if yes; a new set of tasks with RESERVED / BLOCKED is created or else a new READY state is created.

Related Issues

• Permission revoked approver can still perform workflow approval tasks wso2/product-is#25308

Related PRs

• [bug-fix] Permission revoked approver can still perform workflow approval tasks wso2/identity-api-server#979

User stories

Summary of user stories addressed by this change>

Release note

Brief description of the new feature or bug fix as it will appear in the release notes

Documentation

Link(s) to product documentation that addresses the changes of this PR. If no doc impact, enter “N/A” plus brief explanation of why there’s no doc impact

Training

Link to the PR for changes to the training content in https://github.com/wso2/WSO2-Training, if applicable

Certification

Type “Sent” when you have provided new/updated certification questions, plus four answers for each question (correct answer highlighted in bold), based on this change. Certification questions/answers should be sent to [email protected] and NOT pasted in this PR. If there is no impact on certification exams, type “N/A” and explain why.

Marketing

Link to drafts of marketing content that will describe and promote this feature, including product page changes, technical articles, blog posts, videos, etc., if applicable

Automation tests

• Unit tests

  Code coverage information

• Integration tests

  Details about the test cases and coverage

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes/no
• Ran FindSecurityBugs plugin and verified report? yes/no
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes/no

Samples

Provide high-level details about the samples related to this feature

Related PRs

List any other related PRs

Migrations (if applicable)

Describe migration steps and platforms on which migration has been tested

Test environment

List all JDK versions, operating systems, databases, and browser/versions on which this feature/fix was tested

Learning

Describe the research phase and any blog posts, patterns, libraries, or add-ons you used to solve the problem.

[Copilot]

Pull Request Overview

This PR fixes a bug where permission-revoked approvers could still perform workflow approval tasks. The solution implements automatic updates to pending approval tasks when workflows are modified, ensuring that only eligible approvers can continue with approval processes.

• Updates pending approval task structures when workflow configurations change
• Validates existing reserved tasks against new approval configurations
• Adds utility methods for comparing approval steps and parameter changes

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
WorkflowEngineConstants.java	Adds new SQL queries and reorganizes error codes with better categorization
Utils.java	New utility class with methods for processing approval step parameters and detecting modifications
ApprovalTaskDAOImpl.java	Implements new database methods for retrieving pending requests and approval task relations
ApprovalTaskDAO.java	Adds interface methods for pending request and approval task relation queries
ApprovalTaskRelationDTO.java	New DTO class for representing approval task data from database relations
DefaultTemplateInitializer.java	Removes unused role creation logic
ApprovalTaskServiceImpl.java	Core logic for updating approval tasks when workflows change
ApprovalTaskService.java	Interface method for workflow update handling

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/17393884142

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/17393884142
Status: success

[jenkins-is-staging]

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/17393884142

[BimsaraBodaragama]

How about wrapping this with a log.isDebugEnabled() check to avoid unnecessary string formatting when debug logging is disabled?

[Malith-19]

In here we are passing the error message when throwing the error anyway. So we can skip the debug check.

[BimsaraBodaragama]

How about wrapping this with a log.isDebugEnabled() check to avoid unnecessary string formatting when debug logging is disabled?