From a76facbf4c81434ae2a49b5b9836a3177bf99513 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 09:04:34 +0200
Subject: [PATCH] fix(absence) : authorize cancellation before releasing the
 leave balance

---
 .../ApiPlatform/State/AbsenceCancelProcessor.php      | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceCancelProcessor.php b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceCancelProcessor.php
index c960b23..b52c33a 100644
--- a/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceCancelProcessor.php
+++ b/src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceCancelProcessor.php
@@ -50,6 +50,12 @@ final readonly class AbsenceCancelProcessor implements ProcessorInterface
         $isAdmin = $this->security->isGranted('ROLE_ADMIN');
         $status  = $data->getStatus();
 
+        // Authorize before mutating the balance: an employee may only cancel
+        // their own request (admins can cancel any).
+        if (!$isAdmin && $data->getUser() !== $user) {
+            throw new AccessDeniedHttpException('You can only cancel your own requests.');
+        }
+
         if (AbsenceStatus::Pending === $status) {
             $this->balanceService->release($data, false);
         } elseif (AbsenceStatus::Approved === $status) {
@@ -61,11 +67,6 @@ final readonly class AbsenceCancelProcessor implements ProcessorInterface
             throw new ConflictHttpException('This request can no longer be cancelled.');
         }
 
-        // An employee may only cancel their own request (admins can cancel any).
-        if (!$isAdmin && $data->getUser() !== $user) {
-            throw new AccessDeniedHttpException('You can only cancel your own requests.');
-        }
-
         $data->setStatus(AbsenceStatus::Cancelled);
 
         $this->entityManager->flush();