[ 
https://issues.apache.org/jira/browse/FINERACT-2688?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Adam Saghy updated FINERACT-2688:
---------------------------------
    Labels: beginner beginner-friendly  (was: )

> Loan disbursement fails for checker-only user despite having checker 
> permission 
> --------------------------------------------------------------------------------
>
>                 Key: FINERACT-2688
>                 URL: https://issues.apache.org/jira/browse/FINERACT-2688
>             Project: Apache Fineract
>          Issue Type: Bug
>          Components: Organization
>            Reporter: Foo Developer
>            Priority: Major
>              Labels: beginner, beginner-friendly
>
> When maker-checker is enabled and a user holds only the <ACTION>_CHECKER 
> permission (e.g. DISBURSE_LOAN_CHECKER) but not the base permission, 
> attempting to perform that action   
>   returns a permission error instead of routing to the pending approval 
> queue.                                                                        
>                               
>                                                                               
>                                                                               
>                         
>   Root cause: 
> PortfolioCommandSourceWritePlatformServiceImpl.logCommandSource() only called 
> validateHasPermissionTo(taskPermission) unconditionally, rejecting any user 
> who lacks   
>   the base permission — even if they are a legitimate checker. Similarly, 
> CommandSourceService.validateMakerChecker() only marked a command as checked 
> for CHECKER_SUPER_USER,      
>   ignoring role-specific _CHECKER permissions.                                
>                                                                               
>                         
>                                                                               
>                                                                               
>                         
>   Fix:                                                                        
>                                                                               
>                         
>   - In logCommandSource(): detect checker-only users (have _CHECKER but not 
> base permission), look up the pending AWAITING_APPROVAL command for the same 
> action/entity/resource, and
>   auto-approve it. Block makers from submitting duplicate pending entries.    
>                                                                               
>                         
>   - In validateMakerChecker(): broaden the isApprovedByChecker condition to 
> include _CHECKER role-specific permissions, not just CHECKER_SUPER_USER.      
>                           
>   - Add CommandSourceRepository.findPendingByActionAndEntityAndResource() 
> native query.                                                                 
>                             
>   - Add two domain exceptions: MakerCheckerCheckerOnlyInitiationException, 
> MakerCheckerDuplicatePendingSubmissionException



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to