Skip to content

TJK: custom roles adjustments#14

Open
MatiasArriola wants to merge 2 commits into
release/est/tjk/0.9.7from
fix/tjk/roles-adjustments
Open

TJK: custom roles adjustments#14
MatiasArriola wants to merge 2 commits into
release/est/tjk/0.9.7from
fix/tjk/roles-adjustments

Conversation

@MatiasArriola

@MatiasArriola MatiasArriola commented Jun 15, 2026

Copy link
Copy Markdown

✨ Description of Change

Link to GitHub issue or Jira ticket: https://app.clickup.com/t/869da29v7

Description:

This PR aligns legacy inventory/product actions with the custom role permissions matrix.

It fixes two related issues:

  • custom-role users could be allowed by backend policy but still hit a client-side Access denied alert from legacy g:link authorization
  • legacy product and inventory views were still showing actions that should be hidden for custom roles

Changes

  • allow Facility Storekeeper and Regional Warehouse to complete the record stock workflow end to end
    • inventoryItem.showRecordInventory
    • inventoryItem.saveRecordInventory
    • recordStockApi.saveRecordStock
  • allow Regional Warehouse to create stock requests consistently with the matrix
    • stockMovement.createRequest
    • stock-request API access remains scoped to stock requests only
  • update shared g:link authorization to honor custom role policy before applying legacy manager/admin/superuser link disabling
  • add custom view tags for:
    • record stock visibility
    • outbound movement visibility
  • hide legacy UI actions according to the matrix
    • hide Edit product for roles without product management access
    • hide Manage stock lists for roles without stocklist management access
    • hide outbound transfer actions for roles without outbound permissions

Why

The custom permissions matrix is enforced in CustomRolePolicyService, but several legacy GSPs were still using older role assumptions in the UI.

That created two bad outcomes:

  • actions like Record stock were technically allowed but blocked in the browser before navigation
  • actions like Edit product were visible even though the matrix says they should not be accessible

This PR makes the visible actions and actual route authorization consistent.

Expected behavior after this change

  • Facility Storekeeper

    • can use Record stock
    • can create stock requests
    • does not see Edit product
    • does not see Manage stock lists

  • Regional Warehouse

    • can use Record stock
    • can adjust stock
    • can create stock requests
    • does not see Edit product
    • does see Manage stock lists

Assumed "Record stock" is allowed because it is an inventory write action, like adjust stock.

@MatiasArriola
fix: align custom role stock request and adjustment access
8d3328a 
Allow Facility Storekeeper and Regional Warehouse User to use stock request workflows in a way that matches the documented permissions matrix.

Also fix the legacy inventory browser adjust-stock action to use the real adjustment route and add focused policy regression coverage.
@MatiasArriola
fix: align legacy custom role inventory actions
d46b3f3 
Allow Facility Storekeeper and Regional Warehouse to complete the record stock flow end to end, including the shared link authorization path used by legacy GSP actions.

Also hide product edit and stocklist actions according to the custom permissions matrix and add focused regression coverage for the adjusted policy behavior.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bhavananarayanan bhavananarayanan Awaiting requested review from bhavananarayanan

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MatiasArriola