Non-Agreement team members are able to create a budget line
Expected Behavior
Non-Agreement team members should be blocked from creating budget lines in the system.
Current Behavior
Non-Agreement team members are currently able to create budget lines, which should be restricted to Agreement team members only.
Possible Cause
The backend may not be properly checking user roles or permissions before allowing budget line creation.
Steps to Reproduce
1. Log in as a non-Agreement team member2. Navigate to the create-budget-line worflow3. Attempt to create a new budget line from an agreement you are a non-member4. Observe that the system allows the creation of the budget line
Test via api calls since create-budget-line workflow has been removed from the FE
Context
This issue affects the integrity of our budget management system. It could lead to unauthorized budget entries and potential financial discrepancies. The issue was observed in the localdev environment of OPS.
See also #2789
Detailed Description
The system needs to implement a backend check to verify that the user attempting to create a budget line belongs to the Agreement team. This check should occur before any budget line creation is processed. If the user is not part of the Agreement team, the system should reject the attempt and return an appropriate error message.
Possible Implementation
Implement a middleware function that checks the user's role before allowing access to budget line creation endpoints.
Add a permission check in the budget line creation service that verifies the user's team membership.
Update the database schema to include a role-based access control system for budget-related operations.
Ensure that all frontend requests for budget line creation include the user's role information for backend validation.
Non-Agreement team members are able to create a budget line
Expected Behavior
Non-Agreement team members should be blocked from creating budget lines in the system.
Current Behavior
Non-Agreement team members are currently able to create budget lines, which should be restricted to Agreement team members only.
Possible Cause
The backend may not be properly checking user roles or permissions before allowing budget line creation.
Steps to Reproduce
1. Log in as a non-Agreement team member2. Navigate to the create-budget-line worflow3. Attempt to create a new budget line from an agreement you are a non-member4. Observe that the system allows the creation of the budget lineContext
This issue affects the integrity of our budget management system. It could lead to unauthorized budget entries and potential financial discrepancies. The issue was observed in the
localdev
environment of OPS.See also #2789
Detailed Description
The system needs to implement a backend check to verify that the user attempting to create a budget line belongs to the Agreement team. This check should occur before any budget line creation is processed. If the user is not part of the Agreement team, the system should reject the attempt and return an appropriate error message.
Possible Implementation