From 867be465686b7dce0ec829c14533ca03753941f7 Mon Sep 17 00:00:00 2001
From: Roly Gutierrez <roly.gutierrez@processmaker.com>
Date: Wed, 13 May 2026 00:39:43 -0400
Subject: [PATCH] FOUR-31092 Military >> Unauthorized error with user TCO in
 tasks initiated by SFTP

Description:
When a user can claim an active self-service task, they can still see the task but receive 403 from /broadcasting/auth when subscribing to private-ProcessMaker.Models.ProcessRequest.{id>. The previous channel authorization only allowed request owner, participants, and process managers, so valid self-service users were excluded from request-level permission checks.

Changes Updated routes/channels.phpto add a null-safe guard for missing requests and to include self-service task access in the ProcessRequest channel authorization check by usingcanUserClaimASelfServiceTask($user).

Details This aligns broadcast authorization with existing task-level authorization behavior and prevents false-negative access denials for valid self-service flows while keeping admin/owner/participant logic intact.

Related tickets:
https://processmaker.atlassian.net/browse/FOUR-31092
---
 routes/channels.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/routes/channels.php b/routes/channels.php
index 64d6c9651d..33d2793343 100644
--- a/routes/channels.php
+++ b/routes/channels.php
@@ -28,10 +28,14 @@
     }
 
     $request = ProcessRequest::find($id);
+    if (!$request) {
+        return false;
+    }
 
     return $request->user_id === $user->id
         || !empty($request->participants()->where('users.id', $user->getKey())->first())
-        || in_array($user->id, $request->process?->manager_id ?? []);
+        || in_array($user->id, $request->process?->manager_id ?? [])
+        || $request->canUserClaimASelfServiceTask($user);
 });
 
 Broadcast::channel('ProcessMaker.Models.ProcessRequestToken.{id}', function ($user, $id) {