From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.9 (X11; Linux i686; U;) Gecko/20030314

Description of problem:
The Tasks List query retrieves all items that are in a workflow state to which
the user is assigned, however, it does not apply any permissions filters to the
resulting set of items. Thus if an item is in a private folder then the user is
unable to action the item in their task list.

This is a severe problem as people attempt to de-centralize the CMS authoring &
approval processes to all members of their organisation, since a given workflow
may have hundreds of users assigned to each step, but each person only has
permissions to act on items in a small number of folders. Thus the task list may
have hundreds of entries of which only 10-20 are relating to items on which the
user has permission.


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Create two users
2. Assign both users to the Authoring phase of the production workflow
3. Create two folders.
4. Remove all default permissions from these two folders.
5. Give one user to edit privilege on one folder, the other user edit on the
other folder
6. Have each user create an item in their respective folder
7. Go to the task list

Actual Results:  Both users can see items  from both folders, even though they
each only have permission on one folder.

Expected Results:  The user can only see items on which they have permission.

Additional info:

I cannot understate the importance of this problem - it is holding up the
deployment of CMS for several APLAWS customers.