Prior to this ticket, the Requisition Service has been built without validating security. The Requisition Service actually needs to apply security validations to restrict permissions based on RBAC and Supervisory Nodes. Now that RBAC is implemented (), we can apply permissions to the Requisition Service.
The first sub-task of this ticket will fill in this description to specify the permissions required for each action:
Initiate a Requisition: REQUISITION_CREATE
Update a Requisition (setting fields in the line items): REQUISITION_CREATE or REQUISITION_APPROVE or REQUISITION_AUTHORIZE
Submit a Requisition: REQUISITION_CREATE
Approve a Requisition: REQUISITION_APPROVE
Authorize a Requisition: REQUISITION_AUTHORIZE
Delete a Requisition: REQUISITION_DELETE
View a Requisition: REQUISITION_VIEW
-Initiate a Requisition: User must have "Requisition - Create" permission at the facility for which they are trying to create the requisition. This happens either by the user's home facility or by supervisory node. Cross-reference and page 50 in the Configuration Guide.- (Covered by )
Convert Requisition to Order is NOT in scope of this ticket. There is a separate ticket for enforcing permissions for Convert to Order.
The sub-tasks now contain all the acceptance criteria.
(This ticket was raised in discussion in OLMIS-1081.)