Open fpigeonjr opened 1 week ago
here is a snippet on the hook I am using for permissions on the FE:
// src/hooks/agreement.hooks.js
export const useIsUserAllowedToEditAgreement = (agreementId) => {
// TODO: add check if user is on the Budget Team
const { data: agreement } = useGetAgreementByIdQuery(agreementId);
const loggedInUserId = useSelector((state) => state?.auth?.activeUser?.id);
const isUserTheProjectOfficer = agreement?.project_officer_id === loggedInUserId;
const isUserTheAgreementCreator = agreement?.created_by === loggedInUserId;
const isUserATeamMember = agreement?.team_members?.some((teamMember) => teamMember.id === loggedInUserId);
const isUserCreatorOfAnyBudgetLines = agreement?.budget_line_items?.some(
(bli) => bli.created_by === loggedInUserId
);
const isUserAllowedToEditAgreement =
isUserTheProjectOfficer || isUserTheAgreementCreator || isUserATeamMember || isUserCreatorOfAnyBudgetLines;
return isUserAllowedToEditAgreement;
};
Expected Behavior
Only Agreement team members should be able to submit budget lines for a status change on the
ReviewAgreement
page.Current Behavior
Non-team members are able to submit budget lines for a status change on the
ReviewAgreement
page, which should not be allowed.Possible Cause
There might be a lack of proper access control or user role validation on the
ReviewAgreement
page or in the backend API that handles budget line status changes.Steps to Reproduce
ReviewAgreement
pageContext
This issue affects the security and integrity of the budget review process. It allows non-team members to make changes that should be limited to team members only. This was observed in the localdev environment of OPS.
See also #2725
Detailed Description
The
ReviewAgreement
page is currently allowing non-team members to submit budget lines for status changes. Only authorized team members should have the ability to make these changes. The system is not correctly validating the user's role or permissions before allowing the submission of budget line status changes.Possible Implementation