fix(absence) : authorize cancellation before releasing the leave balance

src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceCancelProcessor.php

@@ -50,6 +50,12 @@ final readonly class AbsenceCancelProcessor implements ProcessorInterface
         $isAdmin = $this->security->isGranted('ROLE_ADMIN');
         $status  = $data->getStatus();
 
+        // Authorize before mutating the balance: an employee may only cancel
+        // their own request (admins can cancel any).
+        if (!$isAdmin && $data->getUser() !== $user) {
+            throw new AccessDeniedHttpException('You can only cancel your own requests.');
+        }
+
         if (AbsenceStatus::Pending === $status) {
             $this->balanceService->release($data, false);
         } elseif (AbsenceStatus::Approved === $status) {
@@ -61,11 +67,6 @@ final readonly class AbsenceCancelProcessor implements ProcessorInterface
             throw new ConflictHttpException('This request can no longer be cancelled.');
         }
 
-        // An employee may only cancel their own request (admins can cancel any).
-        if (!$isAdmin && $data->getUser() !== $user) {
-            throw new AccessDeniedHttpException('You can only cancel your own requests.');
-        }
-
         $data->setStatus(AbsenceStatus::Cancelled);
 
         $this->entityManager->flush();