From f77ea3828a73824d7ce52486350a040b1f500551 Mon Sep 17 00:00:00 2001 From: pqhuy1987 Date: Fri, 8 May 2026 18:45:04 +0700 Subject: [PATCH] =?UTF-8?q?[CLAUDE]=20Fix:=20ApprovalWorkflowsV2=20GET=20a?= =?UTF-8?q?i=20authenticated=20c=C5=A9ng=20=C4=91c=20=E2=80=94=20Drafter?= =?UTF-8?q?=20pick=20workflow=20l=C3=BAc=20create=20PE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bug UAT 2026-05-08: user Drafter (nv.test) login Workspace tạo phiếu B, dropdown "Quy trình duyệt" empty silent. Sample seed B đã chạy đúng (Designer admin hiển thị sample + clone v02 active) nhưng Workspace empty. Root cause: class-level [Authorize(Policy = "Workflows.Read")] → non-admin role 403 Forbidden khi GET /api/approval-workflows-v2. TanStack Query catch error silent → dropdown empty không có warning. Fix: - Class-level [Authorize] only (any authenticated) - GET inherit class policy (Drafter cần list workflow để pick — read-only) - POST + DELETE giữ [Authorize(Policy = "Workflows.Create")] — admin-only Designer Workflow data không nhạy cảm — chỉ là cấu hình quy trình. Validate ApplicableType match PE.Type ở Create command đã có. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../Controllers/ApprovalWorkflowsV2Controller.cs | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/Backend/SolutionErp.Api/Controllers/ApprovalWorkflowsV2Controller.cs b/src/Backend/SolutionErp.Api/Controllers/ApprovalWorkflowsV2Controller.cs index 4dfe2a7..00a15a2 100644 --- a/src/Backend/SolutionErp.Api/Controllers/ApprovalWorkflowsV2Controller.cs +++ b/src/Backend/SolutionErp.Api/Controllers/ApprovalWorkflowsV2Controller.cs @@ -7,11 +7,15 @@ namespace SolutionErp.Api.Controllers; // Quy trình duyệt MỚI (Mig 22 — Session 17, 2026-05-08). // Schema riêng để UAT, KHÔNG đụng WorkflowDefinition cũ. -// Reuse policy "Workflows.Read"/"Workflows.Create" giống PE/Contract designer -// — admin đã có quyền quản lý workflow nói chung. +// Authorization split: +// - GET Overview: chỉ cần authenticated — Drafter cần list workflow để pick +// lúc create PE/HĐ (read-only, không expose business data nhạy cảm). +// - POST/DELETE: policy "Workflows.Create" — admin-only Designer. +// Bug fix 2026-05-08: trước class-level "Workflows.Read" → Drafter 403 → +// Workspace dropdown empty silent (không thấy sample workflow đã seed). [ApiController] [Route("api/approval-workflows-v2")] -[Authorize(Policy = "Workflows.Read")] +[Authorize] public class ApprovalWorkflowsV2Controller(IMediator mediator) : ControllerBase { [HttpGet]