Skip to content

FINERACT-2688: Fix loan disbursement for checker-only users via maker-checker permission check#6128

Open
aya-abdallah-FOO wants to merge 1 commit into
apache:developfrom
foodeveloper:port/CBS-509-loan-disbursement-checker-permission
Open

FINERACT-2688: Fix loan disbursement for checker-only users via maker-checker permission check#6128
aya-abdallah-FOO wants to merge 1 commit into
apache:developfrom
foodeveloper:port/CBS-509-loan-disbursement-checker-permission

Conversation

@aya-abdallah-FOO

Copy link
Copy Markdown

Summary

Fixes a bug where a user holding only a role-specific _CHECKER permission (e.g. DISBURSE_LOAN_CHECKER) was rejected with a permission error instead of being routed to the
pending maker-checker approval queue.

Root causes:

  • PortfolioCommandSourceWritePlatformServiceImpl.logCommandSource() called validateHasPermissionTo(taskPermission) unconditionally, rejecting checker-only users
  • CommandSourceService.validateMakerChecker() only marked a command as checked for CHECKER_SUPER_USER, ignoring role-specific _CHECKER permissions

Changes:

  • logCommandSource(): detect checker-only users (has _CHECKER but not base permission), auto-approve the pending AWAITING_APPROVAL entry; block makers from duplicate pending
    submissions
  • validateMakerChecker(): replace isCheckerSuperUser() with hasNotPermissionForAnyOf("CHECKER_SUPER_USER", permission + "_CHECKER")
  • Add CommandSourceRepository.findPendingByActionAndEntityAndResource() native SQL query
  • Add MakerCheckerCheckerOnlyInitiationException and MakerCheckerDuplicatePendingSubmissionException (both → HTTP 403)

JIRA

https://issues.apache.org/jira/browse/FINERACT-2688

Test plan

  • Enable maker-checker for loan disbursement
  • Maker submits → queued as AWAITING_APPROVAL
  • Maker submits again → HTTP 403 error.msg.maker.checker.duplicate.pending.submission
  • Checker-only user (has DISBURSE_LOAN_CHECKER) submits → auto-approves and disburses
  • Checker-only with no pending entry → HTTP 403 error.msg.maker.checker.checker.only.cannot.initiate
  • Existing /makerchecker/{id} approve/reject flow unaffected

…-checker permission check

When maker-checker is enabled, a user holding only the <ACTION>_CHECKER
permission (e.g. DISBURSE_LOAN_CHECKER) was rejected with a permission
error instead of being routed to the pending approval queue.

- logCommandSource(): detect checker-only users, look up the pending
  AWAITING_APPROVAL command for the same action/entity/resource, and
  auto-approve it; block makers from duplicate pending submissions
- validateMakerChecker(): broaden approval condition from isCheckerSuperUser()
  to also accept role-specific _CHECKER permissions
- Add CommandSourceRepository.findPendingByActionAndEntityAndResource()
  native query (searches all resource-id columns)
- Add MakerCheckerCheckerOnlyInitiationException and
  MakerCheckerDuplicatePendingSubmissionException

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@aya-abdallah-FOO aya-abdallah-FOO force-pushed the port/CBS-509-loan-disbursement-checker-permission branch 2 times, most recently from 30e1794 to f830f34 Compare July 13, 2026 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant