[ 
https://issues.apache.org/jira/browse/FINERACT-2688?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Foo Developer updated FINERACT-2688:
------------------------------------
    Component/s: Organization
    Description: 
When maker-checker is enabled and a user holds only the <ACTION>_CHECKER 
permission (e.g. DISBURSE_LOAN_CHECKER) but not the base permission, attempting 
to perform that action   
  returns a permission error instead of routing to the pending approval queue.  
                                                                                
                    
                                                                                
                                                                                
                    
  Root cause: PortfolioCommandSourceWritePlatformServiceImpl.logCommandSource() 
only called validateHasPermissionTo(taskPermission) unconditionally, rejecting 
any user who lacks   
  the base permission — even if they are a legitimate checker. Similarly, 
CommandSourceService.validateMakerChecker() only marked a command as checked 
for CHECKER_SUPER_USER,      
  ignoring role-specific _CHECKER permissions.                                  
                                                                                
                    
                                                                                
                                                                                
                    
  Fix:                                                                          
                                                                                
                    
  - In logCommandSource(): detect checker-only users (have _CHECKER but not 
base permission), look up the pending AWAITING_APPROVAL command for the same 
action/entity/resource, and
  auto-approve it. Block makers from submitting duplicate pending entries.      
                                                                                
                    
  - In validateMakerChecker(): broaden the isApprovedByChecker condition to 
include _CHECKER role-specific permissions, not just CHECKER_SUPER_USER.        
                        
  - Add CommandSourceRepository.findPendingByActionAndEntityAndResource() 
native query.                                                                   
                          
  - Add two domain exceptions: MakerCheckerCheckerOnlyInitiationException, 
MakerCheckerDuplicatePendingSubmissionException

> Loan disbursement fails for checker-only user despite having checker 
> permission 
> --------------------------------------------------------------------------------
>
>                 Key: FINERACT-2688
>                 URL: https://issues.apache.org/jira/browse/FINERACT-2688
>             Project: Apache Fineract
>          Issue Type: Bug
>          Components: Organization
>            Reporter: Foo Developer
>            Priority: Major
>
> When maker-checker is enabled and a user holds only the <ACTION>_CHECKER 
> permission (e.g. DISBURSE_LOAN_CHECKER) but not the base permission, 
> attempting to perform that action   
>   returns a permission error instead of routing to the pending approval 
> queue.                                                                        
>                               
>                                                                               
>                                                                               
>                         
>   Root cause: 
> PortfolioCommandSourceWritePlatformServiceImpl.logCommandSource() only called 
> validateHasPermissionTo(taskPermission) unconditionally, rejecting any user 
> who lacks   
>   the base permission — even if they are a legitimate checker. Similarly, 
> CommandSourceService.validateMakerChecker() only marked a command as checked 
> for CHECKER_SUPER_USER,      
>   ignoring role-specific _CHECKER permissions.                                
>                                                                               
>                         
>                                                                               
>                                                                               
>                         
>   Fix:                                                                        
>                                                                               
>                         
>   - In logCommandSource(): detect checker-only users (have _CHECKER but not 
> base permission), look up the pending AWAITING_APPROVAL command for the same 
> action/entity/resource, and
>   auto-approve it. Block makers from submitting duplicate pending entries.    
>                                                                               
>                         
>   - In validateMakerChecker(): broaden the isApprovedByChecker condition to 
> include _CHECKER role-specific permissions, not just CHECKER_SUPER_USER.      
>                           
>   - Add CommandSourceRepository.findPendingByActionAndEntityAndResource() 
> native query.                                                                 
>                             
>   - Add two domain exceptions: MakerCheckerCheckerOnlyInitiationException, 
> MakerCheckerDuplicatePendingSubmissionException



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to