package org.activiti.cloud.services.security;

import com.querydsl.core.types.Predicate;
import com.querydsl.core.types.dsl.BooleanExpression;
import com.querydsl.core.types.dsl.StringPath;
import org.activiti.api.runtime.shared.security.SecurityManager;
import org.activiti.cloud.services.query.model.QProcessInstanceEntity;
import org.activiti.core.common.spring.security.policies.SecurityPoliciesManager;
import org.activiti.core.common.spring.security.policies.SecurityPolicyAccess;

/* loaded from: input_file:org/activiti/cloud/services/security/ProcessInstanceRestrictionService.class */
public class ProcessInstanceRestrictionService {
    private SecurityPoliciesManager securityPoliciesManager;
    private ProcessInstanceFilter processInstanceFilter;
    private ProcessDefinitionKeyBasedRestrictionBuilder restrictionBuilder;
    private SecurityManager securityManager;

    public ProcessInstanceRestrictionService(SecurityPoliciesManager securityPoliciesManager, ProcessInstanceFilter processInstanceFilter, ProcessDefinitionKeyBasedRestrictionBuilder processDefinitionKeyBasedRestrictionBuilder, SecurityManager securityManager) {
        this.securityPoliciesManager = securityPoliciesManager;
        this.processInstanceFilter = processInstanceFilter;
        this.restrictionBuilder = processDefinitionKeyBasedRestrictionBuilder;
        this.securityManager = securityManager;
    }

    public Predicate restrictProcessInstanceQuery(Predicate predicate, SecurityPolicyAccess securityPolicyAccess) {
        Predicate applyInvolvedRestriction = applyInvolvedRestriction(predicate);
        return !this.securityPoliciesManager.arePoliciesDefined() ? applyInvolvedRestriction : this.restrictionBuilder.applyProcessDefinitionKeyFilter(applyInvolvedRestriction, securityPolicyAccess, this.processInstanceFilter);
    }

    private Predicate applyInvolvedRestriction(Predicate predicate) {
        String authenticatedUserId = this.securityManager.getAuthenticatedUserId();
        if (authenticatedUserId == null) {
            return predicate;
        }
        StringPath stringPath = QProcessInstanceEntity.processInstanceEntity.initiator;
        BooleanExpression eq = QProcessInstanceEntity.processInstanceEntity.tasks.any().assignee.eq(authenticatedUserId);
        return stringPath.eq(authenticatedUserId).or(eq).or(QProcessInstanceEntity.processInstanceEntity.tasks.any().taskCandidateUsers.any().userId.eq(authenticatedUserId)).and(predicate);
    }
}
