aya-abdallah-FOO opened a new pull request, #6128: URL: https://github.com/apache/fineract/pull/6128
## Summary
Fixes a bug where a user holding only a role-specific `_CHECKER`
permission (e.g. `DISBURSE_LOAN_CHECKER`) was rejected with a permission error
instead of being routed to the
pending maker-checker approval queue.
**Root causes:**
- `PortfolioCommandSourceWritePlatformServiceImpl.logCommandSource()`
called `validateHasPermissionTo(taskPermission)` unconditionally, rejecting
checker-only users
- `CommandSourceService.validateMakerChecker()` only marked a command as
checked for `CHECKER_SUPER_USER`, ignoring role-specific `_CHECKER` permissions
**Changes:**
- `logCommandSource()`: detect checker-only users (has `_CHECKER` but not
base permission), auto-approve the pending AWAITING_APPROVAL entry; block
makers from duplicate pending
submissions
- `validateMakerChecker()`: replace `isCheckerSuperUser()` with
`hasNotPermissionForAnyOf("CHECKER_SUPER_USER", permission + "_CHECKER")`
- Add `CommandSourceRepository.findPendingByActionAndEntityAndResource()`
native SQL query
- Add `MakerCheckerCheckerOnlyInitiationException` and
`MakerCheckerDuplicatePendingSubmissionException` (both → HTTP 403)
## JIRA
https://issues.apache.org/jira/browse/FINERACT-2688
## Test plan
- [ ] Enable maker-checker for loan disbursement
- [ ] Maker submits → queued as AWAITING_APPROVAL
- [ ] Maker submits again → HTTP 403
`error.msg.maker.checker.duplicate.pending.submission`
- [ ] Checker-only user (has `DISBURSE_LOAN_CHECKER`) submits →
auto-approves and disburses
- [ ] Checker-only with no pending entry → HTTP 403
`error.msg.maker.checker.checker.only.cannot.initiate`
- [ ] Existing `/makerchecker/{id}` approve/reject flow unaffected
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
