aya-abdallah-FOO opened a new pull request, #6128:
URL: https://github.com/apache/fineract/pull/6128

   ## Summary                                                                   
                                                                                
                     
                                                                                
                                                                                
                       
     Fixes a bug where a user holding only a role-specific `_CHECKER` 
permission (e.g. `DISBURSE_LOAN_CHECKER`) was rejected with a permission error 
instead of being routed to the    
     pending maker-checker approval queue.                                      
                                                                                
                       
                                                                                
                                                                                
                       
     **Root causes:**                                                           
                                                                                
                       
     - `PortfolioCommandSourceWritePlatformServiceImpl.logCommandSource()` 
called `validateHasPermissionTo(taskPermission)` unconditionally, rejecting 
checker-only users              
     - `CommandSourceService.validateMakerChecker()` only marked a command as 
checked for `CHECKER_SUPER_USER`, ignoring role-specific `_CHECKER` permissions 
                         
                                                                                
                                                                                
                       
     **Changes:**                                                               
                                                                                
                       
     - `logCommandSource()`: detect checker-only users (has `_CHECKER` but not 
base permission), auto-approve the pending AWAITING_APPROVAL entry; block 
makers from duplicate pending 
     submissions                                                                
                                                                                
                       
     - `validateMakerChecker()`: replace `isCheckerSuperUser()` with 
`hasNotPermissionForAnyOf("CHECKER_SUPER_USER", permission + "_CHECKER")`       
                                  
     - Add `CommandSourceRepository.findPendingByActionAndEntityAndResource()` 
native SQL query                                                                
                        
     - Add `MakerCheckerCheckerOnlyInitiationException` and 
`MakerCheckerDuplicatePendingSubmissionException` (both → HTTP 403)             
                                           
                                                                                
                                                                                
                       
     ## JIRA                                                                    
                                                                                
                       
     https://issues.apache.org/jira/browse/FINERACT-2688                        
                                                                                
                       
                                                                                
                                                                                
                       
     ## Test plan                                                               
                                                                                
                       
     - [ ] Enable maker-checker for loan disbursement                           
                                                                                
                       
     - [ ] Maker submits → queued as AWAITING_APPROVAL                          
                                                                                
                       
     - [ ] Maker submits again → HTTP 403 
`error.msg.maker.checker.duplicate.pending.submission`                          
                                                             
     - [ ] Checker-only user (has `DISBURSE_LOAN_CHECKER`) submits → 
auto-approves and disburses                                                     
                                  
     - [ ] Checker-only with no pending entry → HTTP 403 
`error.msg.maker.checker.checker.only.cannot.initiate`                          
                                              
     - [ ] Existing `/makerchecker/{id}` approve/reject flow unaffected  


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to