netgrif · mazarijuraj · Jun 5, 2026 · May 13, 2026 · May 13, 2026 · May 25, 2026
diff --git a/src/main/java/com/netgrif/application/engine/elastic/service/ElasticTaskService.java b/src/main/java/com/netgrif/application/engine/elastic/service/ElasticTaskService.java
@@ -178,7 +178,6 @@ protected BoolQueryBuilder buildSingleQuery(ElasticTaskSearchRequest request, Lo
         if (request == null) {
             throw new IllegalArgumentException("Request can not be null!");
         }
-        addRolesQueryConstraint(request, user);
 
         BoolQueryBuilder query = boolQuery();
         buildViewPermissionQuery(query, user);
@@ -198,17 +197,6 @@ protected BoolQueryBuilder buildSingleQuery(ElasticTaskSearchRequest request, Lo
             return query;
     }
 
-    protected void addRolesQueryConstraint(ElasticTaskSearchRequest request, LoggedUser user) {
-        if (request.role != null && !request.role.isEmpty()) {
-            Set<String> roles = new HashSet<>(request.role);
-            roles.addAll(user.getProcessRoles());
-            request.role = new ArrayList<>(roles);
-        } else {
-            request.role = new ArrayList<>(user.getProcessRoles());
-        }
-    }
-
-
     /**
      * Tasks of case with id "5cb07b6ff05be15f0b972c4d"
      * {

diff --git a/...ain/java/com/netgrif/application/engine/elastic/service/ElasticViewPermissionService.java b/...ain/java/com/netgrif/application/engine/elastic/service/ElasticViewPermissionService.java
@@ -8,93 +8,64 @@
 public abstract class ElasticViewPermissionService {
 
     protected void buildViewPermissionQuery(BoolQueryBuilder query, LoggedUser user) {
-        // Check if viewRoles or viewUserRefs exist
-        BoolQueryBuilder viewPermsExists = boolQuery()
-                .should(existsQuery("viewRoles"))
-                .should(existsQuery("viewUserRefs"));
-        // Condition where these attributes do NOT exist
-        BoolQueryBuilder viewPermNotExists = boolQuery()
-                .mustNot(viewPermsExists);
 
-        /* Build positive view role query */
-        BoolQueryBuilder positiveViewRole = buildPositiveViewRoleQuery(viewPermNotExists, user);
+//        (Rp!=0 & Rn = 0)
+        BoolQueryBuilder roleViewQuery = boolQuery()
+                .filter(buildPositiveViewRoleQuery(user))
+                .mustNot(buildNegativeViewRoleQuery(user));
 
-        /* Build negative view role query */
-        BoolQueryBuilder negativeViewRole = buildNegativeViewRoleQuery(user);
-
-        /* Positive view role set-minus negative view role */
-        BoolQueryBuilder positiveRoleSetMinusNegativeRole = setMinus(positiveViewRole, negativeViewRole);
-
-        /* Build positive view userList query */
-        BoolQueryBuilder positiveViewUser = buildPositiveViewUser(viewPermNotExists, user);
-
-        /* Role query union positive view userList */
-        BoolQueryBuilder roleSetMinusPositiveUserList = union(positiveRoleSetMinusNegativeRole, positiveViewUser);
-
-        /* Build negative view userList query */
-        BoolQueryBuilder negativeViewUser = buildNegativeViewUser(user);
-
-        /* Role-UserListPositive set-minus negative view userList */
-        BoolQueryBuilder permissionQuery = setMinus(roleSetMinusPositiveUserList, negativeViewUser);
+//        ((Rp!=0 & Rn = 0) or Up!=0)
+        BoolQueryBuilder roleOrPositiveUserQuery = boolQuery().should(roleViewQuery)
+                .should(buildPositiveViewUser(user))
+                .minimumShouldMatch(1);
 
-        query.filter(permissionQuery);
+//        (((Rp!=0 & Rn = 0) or Up!=0) & Un=0) == 1
+        query.filter(roleOrPositiveUserQuery)
+                .mustNot(buildNegativeViewUser(user));
     }
 
     /**
      * Build a positive view role query using termsQuery for efficiency.
      * This reduces the number of clauses by sending all roles at once.
      */
-    private BoolQueryBuilder buildPositiveViewRoleQuery(BoolQueryBuilder viewPermNotExists, LoggedUser user) {
+    private BoolQueryBuilder buildPositiveViewRoleQuery(LoggedUser user) {
         BoolQueryBuilder positiveViewRole = boolQuery();
         if (!user.getProcessRoles().isEmpty()) {
             positiveViewRole.should(termsQuery("viewRoles", user.getProcessRoles()));
         }
-        positiveViewRole.should(viewPermNotExists);
+        positiveViewRole.minimumShouldMatch(1);
         return positiveViewRole;
     }
 
     /**
-     * Build a negative view role query by excluding negative roles.
+     * Build a negative view role query.
      */
     private BoolQueryBuilder buildNegativeViewRoleQuery(LoggedUser user) {
         BoolQueryBuilder negativeViewRole = boolQuery();
         if (!user.getProcessRoles().isEmpty()) {
-            negativeViewRole.mustNot(termsQuery("negativeViewRoles", user.getProcessRoles()));
+            negativeViewRole.should(termsQuery("negativeViewRoles", user.getProcessRoles()));
         }
+        negativeViewRole.minimumShouldMatch(1);
         return negativeViewRole;
     }
 
     /**
-     * Build a positive view user query using filter (as score is not needed).
+     * Build a positive view user query.
      */
-    private BoolQueryBuilder buildPositiveViewUser(BoolQueryBuilder viewPermNotExists, LoggedUser user) {
-        return boolQuery()
-                .should(viewPermNotExists)
-                .filter(termQuery("viewUsers", user.getId()));
+    private BoolQueryBuilder buildPositiveViewUser(LoggedUser user) {
+        BoolQueryBuilder positiveViewUser = boolQuery();
+        positiveViewUser.should(termQuery("viewUsers", user.getId()));
+        positiveViewUser.minimumShouldMatch(1);
+        return positiveViewUser;
     }
 
     /**
-     * Build a negative view user query to exclude the specified user.
+     * Build a negative view user query.
      */
     private BoolQueryBuilder buildNegativeViewUser(LoggedUser user) {
-        return boolQuery()
-                .mustNot(termQuery("negativeViewUsers", user.getId()));
-    }
-
-    private BoolQueryBuilder setMinus(BoolQueryBuilder positiveSet, BoolQueryBuilder negativeSet) {
-        BoolQueryBuilder positiveSetMinusNegativeSet = boolQuery();
-        positiveSetMinusNegativeSet.must(positiveSet);
-        positiveSetMinusNegativeSet.must(negativeSet);
-        return positiveSetMinusNegativeSet;
-    }
-
-    /**
-     * Unions two queries using OR with a minimum_should_match of 1.
-     */
-    private BoolQueryBuilder union(BoolQueryBuilder setA, BoolQueryBuilder setB) {
-        return boolQuery()
-                .should(setA)
-                .should(setB)
-                .minimumShouldMatch(1);
+        BoolQueryBuilder negativeViewUser = boolQuery();
+        negativeViewUser.should(termQuery("negativeViewUsers", user.getId()));
+        negativeViewUser.minimumShouldMatch(1);
+        return negativeViewUser;
     }
 }
diff --git a/src/main/java/com/netgrif/application/engine/importer/service/Importer.java b/src/main/java/com/netgrif/application/engine/importer/service/Importer.java
@@ -1156,32 +1156,20 @@ protected void addPredefinedRolesWithDefaultPermissions(com.netgrif.application.
                 return;
             }
         }
-        // Don't add if positive roles or triggers or positive user refs
-        if ((importTransition.getRoleRef() != null && importTransition.getRoleRef().stream().anyMatch(this::hasPositivePermission))
-                || (importTransition.getTrigger() != null && !importTransition.getTrigger().isEmpty())
-                || (importTransition.getUsersRef() != null && importTransition.getUsersRef().stream().anyMatch(this::hasPositivePermission))
-                || (importTransition.getUserRef() != null && importTransition.getUserRef().stream().anyMatch(this::hasPositivePermission))) {
+
+        if ((importTransition.getRoleRef() != null && !importTransition.getRoleRef().isEmpty()) ||
+                (importTransition.getUsersRef() != null && !importTransition.getUsersRef().isEmpty()) ||
+                (importTransition.getUserRef() != null && !importTransition.getUserRef().isEmpty())) {
             return;
         }
 
         addDefaultRole(transition);
         addAnonymousRole(transition);
     }
 
-    protected boolean hasPositivePermission(PermissionRef permissionRef) {
-        return (permissionRef.getLogic().isPerform() != null && permissionRef.getLogic().isPerform())
-                || (permissionRef.getLogic().isCancel() != null && permissionRef.getLogic().isCancel())
-                || (permissionRef.getLogic().isView() != null && permissionRef.getLogic().isView())
-                || (permissionRef.getLogic().isAssign() != null && permissionRef.getLogic().isAssign())
-                || (permissionRef.getLogic().isAssigned() != null && permissionRef.getLogic().isAssigned())
-                || (permissionRef.getLogic().isFinish() != null && permissionRef.getLogic().isFinish())
-                || (permissionRef.getLogic().isDelegate() != null && permissionRef.getLogic().isDelegate());
-    }
-
     protected void addPredefinedRolesWithDefaultPermissions() {
         // only if no positive role associations and no positive user ref associations
-        if (net.getPermissions().values().stream().anyMatch(perms -> perms.containsValue(true))
-                || net.getUserRefs().values().stream().anyMatch(perms -> perms.containsValue(true))) {
+        if (!net.getPermissions().isEmpty() || !net.getUserRefs().isEmpty()) {
             return;
         }
 

diff --git a/src/main/java/com/netgrif/application/engine/workflow/domain/Case.java b/src/main/java/com/netgrif/application/engine/workflow/domain/Case.java
@@ -354,9 +354,16 @@ public void resolveViewUserRefs() {
     public void resolveViewUsers() {
         getViewUsers();
         this.viewUsers.clear();
+        this.negativeViewUsers.clear();
         this.users.forEach((user, perms) -> {
-            if (perms.containsKey(RolePermission.VIEW.getValue()) && perms.get(RolePermission.VIEW.getValue())) {
+            if (!perms.containsKey(RolePermission.VIEW.getValue())) {
+                return;
+            }
+            boolean viewPermission = perms.get(RolePermission.VIEW.getValue());
+            if(viewPermission){
                 viewUsers.add(user);
+            } else {
+                negativeViewUsers.add(user);
             }
         });
     }

diff --git a/src/main/java/com/netgrif/application/engine/workflow/domain/Task.java b/src/main/java/com/netgrif/application/engine/workflow/domain/Task.java
@@ -329,9 +329,16 @@ public void resolveViewUserRefs() {
     public void resolveViewUsers() {
         getViewUsers();
         this.viewUsers.clear();
+        this.negativeViewUsers.clear();
         this.users.forEach((role, perms) -> {
-            if (perms.containsKey(RolePermission.VIEW.getValue()) && perms.get(RolePermission.VIEW.getValue())) {
+            if (!perms.containsKey(RolePermission.VIEW.getValue())) {
+                return;
+            }
+            boolean viewPermission = perms.get(RolePermission.VIEW.getValue());
+            if (viewPermission) {
                 viewUsers.add(role);
+            } else {
+                negativeViewUsers.add(role);
             }
         });
     }

diff --git a/src/main/java/com/netgrif/application/engine/workflow/service/TaskSearchService.java b/src/main/java/com/netgrif/application/engine/workflow/service/TaskSearchService.java
@@ -41,16 +41,17 @@ public Predicate buildQuery(List<TaskSearchRequest> requests, LoggedUser user, L
 
         BooleanBuilder builder = constructPredicateTree(singleQueries, isIntersection ? BooleanBuilder::and : BooleanBuilder::or);
 
-        BooleanBuilder constraints = new BooleanBuilder(buildRolesQueryConstraint(loggedOrImpersonated));
-        constraints.or(buildUserRefQueryConstraint(loggedOrImpersonated));
-        builder.and(constraints);
-
-        BooleanBuilder permissionConstraints = new BooleanBuilder(buildViewRoleQueryConstraint(loggedOrImpersonated));
-        permissionConstraints.andNot(buildNegativeViewRoleQueryConstraint(loggedOrImpersonated));
-        permissionConstraints.or(buildViewUserQueryConstraint(loggedOrImpersonated));
-        permissionConstraints.andNot(buildNegativeViewUsersQueryConstraint(loggedOrImpersonated));
-        builder.and(permissionConstraints);
-        return builder;
+        //        (Rp!=0 & Rn = 0)
+        BooleanBuilder constraints = new BooleanBuilder(buildViewRoleQueryConstraint(loggedOrImpersonated))
+                .andNot(buildNegativeViewRoleQueryConstraint(loggedOrImpersonated));
+
+        //        ((Rp!=0 & Rn = 0) or Up!=0)
+        constraints.or(buildViewUserQueryConstraint(loggedOrImpersonated));
+
+        //        (((Rp!=0 & Rn = 0) or Up!=0) & Un=0) == 1
+        constraints.andNot(buildNegativeViewUsersQueryConstraint(loggedOrImpersonated));
+
+        return builder.and(constraints);
     }
 
     protected Predicate buildRolesQueryConstraint(LoggedUser user) {
@@ -69,7 +70,7 @@ protected Predicate buildViewRoleQueryConstraint(LoggedUser user) {
     }
 
     public Predicate viewRoleQuery(String role) {
-        return QTask.task.viewUserRefs.isEmpty().and(QTask.task.viewRoles.isEmpty()).or(QTask.task.viewRoles.contains(role));
+        return QTask.task.viewRoles.contains(role);
     }
 
     protected Predicate buildViewUserQueryConstraint(LoggedUser user) {
@@ -78,7 +79,7 @@ protected Predicate buildViewUserQueryConstraint(LoggedUser user) {
     }
 
     public Predicate viewUsersQuery(String userId) {
-        return QTask.task.negativeViewRoles.isEmpty().and(QTask.task.viewUserRefs.isEmpty()).and(QTask.task.viewRoles.isEmpty()).or(QTask.task.viewUsers.contains(userId));
+        return QTask.task.viewUsers.contains(userId);
     }
 
     protected Predicate buildNegativeViewRoleQueryConstraint(LoggedUser user) {

diff --git a/src/main/java/com/netgrif/application/engine/workflow/service/TaskService.java b/src/main/java/com/netgrif/application/engine/workflow/service/TaskService.java
@@ -780,12 +780,9 @@ public List<Task> resolveUserRef(Case useCase) {
     @Override
     public Task resolveUserRef(Task task, Case useCase) {
         task.getUsers().clear();
-        task.getNegativeViewUsers().clear();
         task.getUserRefs().forEach((id, permission) -> {
             List<String> userIds = getExistingUsers((UserListFieldValue) useCase.getDataSet().get(id).getValue());
-            if (userIds != null && !userIds.isEmpty() && permission.containsKey("view") && !permission.get("view")) {
-                task.getNegativeViewUsers().addAll(userIds);
-            } else if (userIds != null && !userIds.isEmpty()) {
+            if (userIds != null && !userIds.isEmpty()) {
                 task.addUsers(new HashSet<>(userIds), permission);
             }
         });

diff --git a/src/main/java/com/netgrif/application/engine/workflow/service/WorkflowService.java b/src/main/java/com/netgrif/application/engine/workflow/service/WorkflowService.java
@@ -218,7 +218,6 @@ public long count(Map<String, Object> request, LoggedUser user, Locale locale) {
     @Override
     public Case resolveUserRef(Case useCase) {
         useCase.getUsers().clear();
-        useCase.getNegativeViewUsers().clear();
         useCase.getUserRefs().forEach((id, permission) -> {
             resolveUserRefPermissions(useCase, id, permission);
         });
@@ -230,11 +229,7 @@ public Case resolveUserRef(Case useCase) {
     private void resolveUserRefPermissions(Case useCase, String userListId, Map<String, Boolean> permission) {
         List<String> userIds = getExistingUsers((UserListFieldValue) useCase.getDataSet().get(userListId).getValue());
         if (userIds != null && !userIds.isEmpty()) {
-            if (permission.containsKey("view") && !permission.get("view")) {
-                useCase.getNegativeViewUsers().addAll(userIds);
-            } else {
-                useCase.addUsers(new HashSet<>(userIds), permission);
-            }
+            useCase.addUsers(new HashSet<>(userIds), permission);
         }
     }