Add Rights checks to requisitions save/submit/approve/delete endpoints
Description
Work | Priority | Story Points | Assignee | Status |
---|---|---|---|---|
None | Sebastian Brudziński Sebastian Brudziński | |||
None | Sebastian Brudziński Sebastian Brudziński |
relates to
Confluence content
QAlity Plus - Test Management
Checklists
Activity
All works.
1. User with right REQUISITION_VIEW can only view the requisition. User can't e.g approve the requisitions or delete them.
2. User with right REQUISITOIN_DELETE can delete the requisition. User can't e.g create the requisitions.
3. User with right REQUISITION_AUTHORIZE can authorize the requisition. User can't e.g. delete the requisitions.
4. User with right REQUISITION_APPROVE can approve requisition. User can't e.g. authorize the requisition.
5. User with right REQUISITION CREATE can initiate/submit the requisition. User can't e.q. authorize/approve the requisition.
6. When tries to e.g. authorize/approve the requisition from facility which he does not supervise, the action can't be done. Proper message is displayed:
{
"message": "User is lacking permission to access the resource",
"description": "You do not have the following permission to perform this action: REQUISITION_AUTHORIZE".
}
7. When user tries to delete the requisition without proper right assigned, the same error with information about missing the proper right is displayed.
@Brandon Bowersox-Johnson Reviewed. I added a bit to the implementation subtask.
Update: DONE. @Chongsun Ahn please review how I've broken this into 2 sub-tasks that contain the details.
@Brandon Bowersox-Johnson and @Chongsun Ahn please re-write this ticket.
Re-write this into the following pieces:
design how we want this to work (including which error/responses it should give if the person is not authorized; also consider if we should use annotations)
creating the rights in the system or seed data
create re-usable code for calling /hasRight from Requisition service to check permissions
Linking to OLMIS-1120, this ticket's title is for "right checks to areas already implemented" but really is for requisitions. @Mary Jo Kochendorfer and @Josh Zamor agreed we'd tackle the rights checks as part of the larger https://openlmis.atlassian.net/browse/OLMIS-1120#icft=OLMIS-1120 which will tackle tech debt of the reference data endpoints.
Details
Details
Assignee
Reporter
Story Points
Time tracking
Components
Sprint
Fix versions
Priority
Time Assistant
Open Time Assistant
Time Assistant

Prior to this ticket, the Requisition Service has been built without validating security. The Requisition Service actually needs to apply security validations to restrict permissions based on RBAC and Supervisory Nodes. Now that RBAC is implemented (OLMIS-545: Role-Based Access Control (RBAC) for Admin/Requisitions/FulfillmentDone), we can apply permissions to the Requisition Service.
The first sub-task of this ticket will fill in this description to specify the permissions required for each action:
Initiate a Requisition: REQUISITION_CREATE
Update a Requisition (setting fields in the line items): REQUISITION_CREATE or REQUISITION_APPROVE or REQUISITION_AUTHORIZE
Submit a Requisition: REQUISITION_CREATE
Approve a Requisition: REQUISITION_APPROVE
Authorize a Requisition: REQUISITION_AUTHORIZE
Delete a Requisition: REQUISITION_DELETE
View a Requisition: REQUISITION_VIEW
More info here: https://openlmis.atlassian.net/wiki/display/OP/Requisition+Rights
-Initiate a Requisition: User must have "Requisition - Create" permission at the facility for which they are trying to create the requisition. This happens either by the user's home facility or by supervisory node. Cross-reference https://openlmis.atlassian.net/browse/OLMIS-867#icft=OLMIS-867 and page 50 in the Configuration Guide.- (Covered by https://openlmis.atlassian.net/browse/OLMIS-1152#icft=OLMIS-1152)
Convert Requisition to Order is NOT in scope of this ticket. There is a separate ticket for enforcing permissions for Convert to Order.
Acceptance Criteria
The sub-tasks now contain all the acceptance criteria.
(This ticket was raised in discussion in OLMIS-1081.)