FINERACT-2688: Fix loan disbursement for checker-only users via maker-checker permission check#6128
Open
aya-abdallah-FOO wants to merge 1 commit into
Conversation
…-checker permission check When maker-checker is enabled, a user holding only the <ACTION>_CHECKER permission (e.g. DISBURSE_LOAN_CHECKER) was rejected with a permission error instead of being routed to the pending approval queue. - logCommandSource(): detect checker-only users, look up the pending AWAITING_APPROVAL command for the same action/entity/resource, and auto-approve it; block makers from duplicate pending submissions - validateMakerChecker(): broaden approval condition from isCheckerSuperUser() to also accept role-specific _CHECKER permissions - Add CommandSourceRepository.findPendingByActionAndEntityAndResource() native query (searches all resource-id columns) - Add MakerCheckerCheckerOnlyInitiationException and MakerCheckerDuplicatePendingSubmissionException Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
30e1794 to
f830f34
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a bug where a user holding only a role-specific
_CHECKERpermission (e.g.DISBURSE_LOAN_CHECKER) was rejected with a permission error instead of being routed to thepending maker-checker approval queue.
Root causes:
PortfolioCommandSourceWritePlatformServiceImpl.logCommandSource()calledvalidateHasPermissionTo(taskPermission)unconditionally, rejecting checker-only usersCommandSourceService.validateMakerChecker()only marked a command as checked forCHECKER_SUPER_USER, ignoring role-specific_CHECKERpermissionsChanges:
logCommandSource(): detect checker-only users (has_CHECKERbut not base permission), auto-approve the pending AWAITING_APPROVAL entry; block makers from duplicate pendingsubmissions
validateMakerChecker(): replaceisCheckerSuperUser()withhasNotPermissionForAnyOf("CHECKER_SUPER_USER", permission + "_CHECKER")CommandSourceRepository.findPendingByActionAndEntityAndResource()native SQL queryMakerCheckerCheckerOnlyInitiationExceptionandMakerCheckerDuplicatePendingSubmissionException(both → HTTP 403)JIRA
https://issues.apache.org/jira/browse/FINERACT-2688
Test plan
error.msg.maker.checker.duplicate.pending.submissionDISBURSE_LOAN_CHECKER) submits → auto-approves and disburseserror.msg.maker.checker.checker.only.cannot.initiate/makerchecker/{id}approve/reject flow unaffected