MALIO-DEV/Lesstime
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 32 Wiki Activity

fix(absence) : authorize cancellation before releasing the leave balance

Browse Source
This commit is contained in:
Matthieu
2026-06-22 09:04:34 +02:00
parent 62cdd4614a
commit a76facbf4c
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Module/Absence/Infrastructure/ApiPlatform/State/AbsenceCancelProcessor.php
+6 -5
View File
@@ -50,6 +50,12 @@ final readonly class AbsenceCancelProcessor implements ProcessorInterface
$isAdmin = $this->security->isGranted('ROLE_ADMIN'); $isAdmin = $this->security->isGranted('ROLE_ADMIN');
$status = $data->getStatus(); $status = $data->getStatus();
// Authorize before mutating the balance: an employee may only cancel
// their own request (admins can cancel any).
if (!$isAdmin && $data->getUser() !== $user) {
throw new AccessDeniedHttpException('You can only cancel your own requests.');
}
if (AbsenceStatus::Pending === $status) { if (AbsenceStatus::Pending === $status) {
$this->balanceService->release($data, false); $this->balanceService->release($data, false);
} elseif (AbsenceStatus::Approved === $status) { } elseif (AbsenceStatus::Approved === $status) {
@@ -61,11 +67,6 @@ final readonly class AbsenceCancelProcessor implements ProcessorInterface
throw new ConflictHttpException('This request can no longer be cancelled.'); throw new ConflictHttpException('This request can no longer be cancelled.');
} }
// An employee may only cancel their own request (admins can cancel any).
if (!$isAdmin && $data->getUser() !== $user) {
throw new AccessDeniedHttpException('You can only cancel your own requests.');
}
$data->setStatus(AbsenceStatus::Cancelled); $data->setStatus(AbsenceStatus::Cancelled);
$this->entityManager->flush(); $this->entityManager->flush();