It seems REST API don't check Actor Configuration.
By Example with DemandeConge3.0.0, if you create a new Case with walter.bates, he cannot see the task "Valider Demande" from Portal, only helen.kelly can see it (as Manager of walter.bates).
But with REST API, connected as walter.bates he can see all Tasks via a call to ..API/bpm/humanTask?p=0&c=10
He can even take all Tasks with a PUT in ../API/bpm/humanTask/{{$item.id}} and then execute it!
It seems its a Security Problem?
