TJK: fix(custom-roles): stock request workflow for Facility Storekeeper and Regional Warehouse#20
Conversation
Allow facility storekeeper and regional warehouse users to complete the stock request flow without exposing unrelated inbound actions. This includes the stock request API/policy adjustments, requestor delete support for electronic requests, show-page action cleanup, and regression coverage for the affected custom-role routes.
anagperal
left a comment
There was a problem hiding this comment.
thanks @MatiasArriola ! only two comments
| 'stocklistApi': ['list', 'read'], | ||
| ] | ||
|
|
||
| private static final Map<String, List<String>> REGIONAL_WAREHOUSE_ALLOWED_ACTIONS = [ |
There was a problem hiding this comment.
I have this access denied when click on "Receive" button as a user with role REGIONAL_WAREHOUSE that receives the shipment from an inbound movement:
A REGIONAL_WAREHOUSE user clicking Receive (partialReceiving/create):
- getActivePolicy → ROLE_REGIONAL_WAREHOUSE (so hasPolicy = true).
- isDeniedForRegionalWarehouse('partialReceiving','create') → no matching rule → denied = false.
- isAllowedByPolicy → isRouteAllowed(REGIONAL_WAREHOUSE_ALLOWED_ACTIONS, 'partialReceiving', 'create') → partialReceiving wasn't a key in the map → false. And isAllowedStockRequestRoute doesn't handle partialReceiving either → allowed = false.
- Result: denied:false, allowed:false → falls through to the legacy rules.
AI-suggested solution, add to REGIONAL_WAREHOUSE_ALLOWED_ACTIONS:
'internalLocationApi' : ['listReceiving'],
'partialReceiving' : ['create'],
'partialReceivingApi' : ['read', 'update'],
Test
- Create a request from regional location to main location
- Go to main location and approve request then click on edit to create shipment and click on send shipment
- Go to regional location to the corresponding inbound shipment and click on "Receive"
There was a problem hiding this comment.
I have this access denied when trying to create the shipment from the request as a user with role REGIONAL_WAREHOUSE:

The updateShipment action is missing from isAllowedStockRequestRoute. The Send step makes two calls: updateShipment (save shipment details) then updateStatus with DISPATCHED. The updateStatus is already allowed via isAllowedStockRequestRoute line 405, but updateShipment is missing
Test
- Create request with facility user to regional location
- Go to regional location and approve request then click on edit to create shipment and click on send shipment
Restore the stock request send step for regional warehouse users by allowing updateShipment on stock-request routes. Allow facility storekeeper and regional warehouse users to complete partial receiving of existing inbound shipments without granting inbound creation permissions. Also restore stock movement item access for RPC superusers and add regression coverage for the affected policy paths.
|
Thanks @anagperal! Good catches and suggestions! Tested both flows end to end before the changes and reproduced the issues, then added the permissions and verified it is fixed. Had to add the permissions for both facility storekeeper and regional warehouse. Tested from inbound request until receive and verifying inventory using both scenarios:
|
✨ Description of Change
Link to GitHub issue or Jira ticket: https://app.clickup.com/t/869da29v7
Problem
This PR fixes regressions in the stock request workflow for the new restricted custom roles:
ROLE_FACILITY_STOREKEEPERROLE_REGIONAL_WAREHOUSEThe original issue was that stock request creation was failing for these users. Endpoints needed by the stock request process were being denied.
After opening up the create flow, there were also follow-up inconsistencies around related stock-request actions and the stock movement show page: most actions were incorrectly denied (comment, add doc, etc.).
What changed
1. Update permissions related to stock-request
File:
CustomRolePolicyServiceSpec.groovyAdded coverage for:
Reasoning:
2. Hide misleading actions on the stock movement show page
Files:
AuthTagLib.groovyshow.gspChanges:
canCreateStockMovementFromShowtaglib helper.Createis hidden on electronic stock requests for:ROLE_FACILITY_STOREKEEPERROLE_REGIONAL_WAREHOUSEReceiveis shown only whenstockMovement.isReceivingAuthorized(currentLocation)is true.Reasoning:
Createvisibility rule was moved out of the GSP and intoAuthTagLibto keep the view easier to reason about.3. Allow requestors to delete their own stock requests
File:
Change:
isDeleteOrRollbackAuthorized(...), electronic stock requests can now be deleted by the requestor themselves, even if they do not have assistant-or-higher role.Reasoning:
Functional impact
For facility storekeeper / regional warehouse users:
For stock request requestors:
Testing
Added/updated unit coverage in:
CustomRolePolicyServiceSpec.groovyImportant:
To test the approval flow, the users that should approve the Stock Requests must have the separate "Request approver" role for the given Location. This role is what allows the users to appear in the "Approvers" control, and also used to check for permissions to exercise that action.
📷 Screenshots & Recordings (optional)
openboxes-stock-request.webm