This will be more of a best practices question.
Let's assume there's a simple approval workflow running when a user (let's call him User A) creates a new item in a list. User A is just an ordinary visitor of the site.
That user has only Read permission to the site, but he also has Contribute permissions to the list, co he can create items in it.
Now let's assume there's also User B, who should approve items created by User A. He can also return the item for review to User A if there's something wrong or missing.
When User B returns the item for review, Request Review task is created and assigned to User A.
In order for User A to respond to this task (or even display it), he needs Contribute Permission to the workflow task. (which at the time he does not have, since he has just Read Permissions to the whole site).
One more thing to consider - any visitor of the site can create items in the library.
And now here comes my question (or more than one question :-) ) - What's the best possible way to approach this?
Do you simply assign Contribute to all authenticated users on Workflow Tasks library on the site?
Or is there some way to give Contribute access only for that task (I haven't found a reliable way of achieving this myself so far..) ?
I could just give Contribute to the Workflow Tasks list for all users and be done with it, but this doesn't seem like a good approach to me.
Any advice would be much appreciated.
P.S. Sorry for the wall of text :-)