Merge pull request #1295 from bcgov/dev

Dev

Author: jimmyPasta

applications/Unity.GrantManager/modules/Unity.Payments/src/Unity.Payments.Application/Domain/Exceptions/ErrorConsts.cs

@@ -7,5 +7,6 @@ public static class ErrorConsts
         public const string ConfigurationExists = "Unity.Payments:Errors:ConfigurationExists";
         public const string ConfigurationDoesNotExist = "Unity.Payments:Errors:ConfigurationDoesNotExist";
         public const string InvalidAccountCodingField = "Unity.Payments:Errors:InvalidAccountCodingFiled";
+        public const string L2ApproverRestriction = "Unity.Payments:Errors:L2ApproverRestriction";
     }
 }

applications/Unity.GrantManager/modules/Unity.Payments/src/Unity.Payments.Application/PaymentRequests/PaymentRequestAppService.cs

@@ -6,6 +6,7 @@
 using System.Linq;
 using System.Threading.Tasks;
 using Unity.Payment.Shared;
+using Unity.Payments.Domain.Exceptions;
 using Unity.Payments.Domain.PaymentConfigurations;
 using Unity.Payments.Domain.PaymentRequests;
 using Unity.Payments.Domain.Services;
@@ -95,7 +96,7 @@ public virtual async Task<List<PaymentRequestDto>> CreateAsync(List<CreatePaymen
                     // referenceNumber + Chefs Confirmation ID + 6 digit sequence based on sequence number and index
                     CreatePaymentRequestDto paymentRequestDto = paymentRequestItem.value;
                     string referenceNumberPrefix = GenerateReferenceNumberPrefixAsync(paymentIdPrefix);
-                    string sequenceNumber = GenerateSequenceNumberAsync(nextSequenceNumber, paymentRequestItem.i);  
+                    string sequenceNumber = GenerateSequenceNumberAsync(nextSequenceNumber, paymentRequestItem.i);
                     string referenceNumber = GenerateReferenceNumberAsync(referenceNumberPrefix, sequenceNumber);
                     string invoiceNumber = GenerateInvoiceNumberAsync(referenceNumberPrefix, paymentRequestDto.InvoiceNumber, sequenceNumber);
 
@@ -138,13 +139,13 @@ private static string GenerateInvoiceNumberAsync(string referenceNumber, string
             return $"{referenceNumber}-{invoiceNumber}-{sequencePart}";
         }
 
-        private static string GenerateReferenceNumberAsync(string referenceNumber,  string sequencePart)
+        private static string GenerateReferenceNumberAsync(string referenceNumber, string sequencePart)
         {
             return $"{referenceNumber}-{sequencePart}";
         }
 
 
-        private static string GenerateSequenceNumberAsync(int sequenceNumber,  int index)
+        private static string GenerateSequenceNumberAsync(int sequenceNumber, int index)
         {
             sequenceNumber = sequenceNumber + index;
             return sequenceNumber.ToString("D4");
@@ -185,6 +186,20 @@ public virtual async Task<List<PaymentRequestDto>> UpdateStatusAsync(List<Update
 
             var paymentThreshold = await GetPaymentThresholdAsync();
 
+            // Check approval batches
+            var approvalRequests = paymentRequests.Where(r => r.IsApprove).Select(x => x.PaymentRequestId).ToList();
+            var approvalList = await _paymentRequestsRepository.GetListAsync(x => approvalRequests.Contains(x.Id), includeDetails: true);
+
+            // Rule AB#26693: Reject Payment Request update batch if violates L1 and L2 separation of duties
+            if (approvalList.Any(
+                x => x.Status == PaymentRequestStatus.L2Pending
+                && CurrentUser.Id == x.ExpenseApprovals.FirstOrDefault(y => y.Type == ExpenseApprovalType.Level1)?.DecisionUserId))
+            {
+                throw new BusinessException(
+                    code: ErrorConsts.L2ApproverRestriction,
+                    message: L[ErrorConsts.L2ApproverRestriction]);
+            }
+
             foreach (var dto in paymentRequests)
             {
                 try
@@ -206,6 +221,7 @@ public virtual async Task<List<PaymentRequestDto>> UpdateStatusAsync(List<Update
 
             return updatedPayments;
         }
+
         private async Task<PaymentApprovalAction> DetermineTriggerActionAsync(
             UpdatePaymentStatusRequestDto dto,
             PaymentRequest payment,
@@ -216,7 +232,7 @@ private async Task<PaymentApprovalAction> DetermineTriggerActionAsync(
                 return dto.IsApprove ? PaymentApprovalAction.L1Approve : PaymentApprovalAction.L1Decline;
             }
 
-            if (await CanPerformLevel2ActionAsync(payment))
+            if (await CanPerformLevel2ActionAsync(payment, dto.IsApprove))
             {
                 if (dto.IsApprove)
                 {
@@ -241,9 +257,18 @@ private async Task<bool> CanPerformLevel1ActionAsync(PaymentRequestStatus status
             return await _permissionChecker.IsGrantedAsync(PaymentsPermissions.Payments.L1ApproveOrDecline) && level1Approvals.Contains(status);
         }
 
-        private async Task<bool> CanPerformLevel2ActionAsync(PaymentRequest payment)
+        private async Task<bool> CanPerformLevel2ActionAsync(PaymentRequest payment, bool IsApprove)
         {
             List<PaymentRequestStatus> level2Approvals = new() { PaymentRequestStatus.L2Pending, PaymentRequestStatus.L2Declined };
+            
+            // Rule AB#26693: Reject Payment Request update if violates L1 and L2 separation of duties
+            var IsSameApprover = CurrentUser.Id == payment.ExpenseApprovals.FirstOrDefault(x => x.Type == ExpenseApprovalType.Level1)?.DecisionUserId;
+            if (IsSameApprover && IsApprove)
+            {
+                throw new BusinessException(
+                    code: ErrorConsts.L2ApproverRestriction,
+                    message: L[ErrorConsts.L2ApproverRestriction]);
+            }
             return await _permissionChecker.IsGrantedAsync(PaymentsPermissions.Payments.L2ApproveOrDecline) && level2Approvals.Contains(payment.Status);
         }
 
@@ -380,6 +405,7 @@ public async Task<List<PaymentDetailsDto>> GetListByPaymentIdsAsync(List<Guid> p
             var payments = await paymentsQueryable
                 .Where(e => paymentIds.Contains(e.Id))
                 .Include(pr => pr.Site)
+                .Include(x => x.ExpenseApprovals)
                 .ToListAsync();
 
             return ObjectMapper.Map<List<PaymentRequest>, List<PaymentDetailsDto>>(payments);

applications/Unity.GrantManager/modules/Unity.Payments/src/Unity.Payments.Shared/Localization/Payments/en.json

@@ -9,6 +9,7 @@
     "Unity.Payments:Errors:ConfigurationExists": "Configuration already exitst",
     "Unity.Payments:Errors:ConfigurationDoesNotExist": "Configuration does not exits",
     "Unity.Payments:Errors:InvalidAccountCodingFiled": "Invalid account coding field {field} : {length}",
+    "Unity.Payments:Errors:L2ApproverRestriction": "You cannot approve one or more selected payments as you have already approved them as an L1 Approver.",
 
     "Setting:Payments.ThresholdAmount.DisplayName": "Payment threshold amount",
     "Setting:Payments.ThresholdAmount.Description": "Payment threshold that triggers additional approvals and checks",
@@ -21,6 +22,9 @@
     "ApplicationPaymentRequest:SubmitButtonText": "Submit Payment Requests",
     "ApplicationPaymentRequest:CancelButtonText": "Cancel",
     "ApplicationPaymentRequest:Validations:RemainingAmountExceeded": "Cannot add a payment that exceeds the remaining amount of ",
+    "ApplicationPaymentRequest:Validations:L2ApproverRestriction": "You cannot approve this payment as you have already approved it as an L1 Approver.",
+    "ApplicationPaymentRequest:Validations:L2ApproverRestrictionBatch": "Highlighted payments were already approved with L1 permission. L1 and L2 approvers must be different individuals",
+
 
     "ApplicationPaymentTable:BatchNumber": "Batch Number",
     "ApplicationPaymentTable:TotalAmount": "Total Amount",

applications/Unity.GrantManager/modules/Unity.Payments/src/Unity.Payments.Web/Pages/PaymentApprovals/PaymentsApprovalModel.cs

@@ -1,12 +1,16 @@
-using System.ComponentModel.DataAnnotations;
-using System.ComponentModel;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Localization;
 using System;
 using System.Collections.Generic;
+using System.ComponentModel;
+using System.ComponentModel.DataAnnotations;
 using Unity.Payments.Enums;
+using Unity.Payments.Localization;
+using Volo.Abp.Users;
 
 namespace Unity.Payments.Web.Pages.PaymentApprovals
 {
-    public class PaymentsApprovalModel
+    public class PaymentsApprovalModel : IValidatableObject
     {
         [Required]
         public Guid Id { get; set; }
@@ -32,8 +36,6 @@ public class PaymentsApprovalModel
 
         public bool isPermitted { get; set; }
 
-        public List<string> ErrorList { get; set; } = new List<string> { };
-
         public bool IsL3ApprovalRequired { get; set; }
 
         public PaymentRequestStatus ToStatus { get; set; }
@@ -42,5 +44,27 @@ public class PaymentsApprovalModel
 
         public string ToStatusText { get; set; } = string.Empty;
 
+        public Guid? PreviousL1Approver { get; set; }
+
+        public bool IsApproval { get; set; }
+        public bool IsValid { get; set; } = false;
+        public Guid CurrentUser { get; set; }
+
+        public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
+        {
+            var currentUser = validationContext.GetRequiredService<ICurrentUser>();
+            var localizer = validationContext.GetRequiredService<IStringLocalizer<PaymentsResource>>();
+
+            // Rule AB#26693: Reject Payment Request update batch if violates L1 and L2 separation of duties
+            if (IsApproval
+                && Status == PaymentRequestStatus.L2Pending
+                && PreviousL1Approver == currentUser.Id)
+            {
+                yield return new ValidationResult(
+                    errorMessage: localizer["ApplicationPaymentRequest:Validations:L2ApproverRestriction"],
+                    memberNames: [nameof(PreviousL1Approver)]
+                );
+            }
+        }
     }
 }

applications/Unity.GrantManager/modules/Unity.Payments/src/Unity.Payments.Web/Pages/PaymentApprovals/UpdatePaymentRequestStatus.cshtml

@@ -14,8 +14,16 @@
     int uniqueIndex = 0;
 }
 
+@functions
+{
+    public static string GetContainerValidationState(bool isValid)
+    {
+        return isValid ? "single-payment" : "single-payment bg-danger-subtle border-danger-subtle";
+    }
+}
+
 
-<form method="post" asp-page-handler="OnPostAsync" id="paymentRequestStatus">
+<form method="post" asp-page-handler="OnPostAsync" id="paymentRequestStatus" data-ajaxForm="true">
     <abp-modal size="ExtraLarge" id="payment-modal">
         @if (Model.IsApproval)
         {
@@ -32,7 +40,7 @@
                     <abp-input id="PaymentThreshold" type="hidden" asp-for="PaymentThreshold" />
                     <abp-input id="ApplicationCount" type="hidden" asp-for="PaymentGroupings.Count" />
 
-                    @if (Model.PaymentGroupings.Count >= 1)
+                    @if (Model.PaymentGroupings.Count > 0)
                     {
                         @for (int k = 0; k < Model.PaymentGroupings.Count; k++)
                         {
@@ -45,7 +53,7 @@
 
                                 @for (int i = 0; i < Model.PaymentGroupings[k].Items.Count; i++)
                                 {
-                                    <div id="@($"{@Model.PaymentGroupings[k].Items[i].Id}_container")" class="single-payment">
+                                    <div id="@($"{@Model.PaymentGroupings[k].Items[i].Id}_container")" class="@GetContainerValidationState(Model.PaymentGroupings[k].Items[i].IsValid)">
                                         <input type="hidden" asp-for="@Model.PaymentGroupings[k].Items[i].Id" />
                                         <input type="hidden" asp-for="@Model.PaymentGroupings[k].Items[i].ReferenceNumber" />
                                         <input type="hidden" asp-for="@Model.PaymentGroupings[k].Items[i].Amount" />
@@ -57,9 +65,21 @@
                                         <input type="hidden" asp-for="@Model.PaymentGroupings[k].Items[i].isPermitted" />
                                         <input type="hidden" asp-for="@Model.PaymentGroupings[k].Items[i].IsL3ApprovalRequired" />
                                         <input type="hidden" asp-for="@Model.PaymentGroupings[k].Items[i].ToStatus" />
-                                        <abp-row class="m-0 p-2">
-                                            <abp-column size="_11" class="px-1"><h6 class="single-payment-card-application-name">@Model.PaymentGroupings[k].Items[i].ApplicantName (@Model.PaymentGroupings[k].Items[i].InvoiceNumber)</h6></abp-column>
-                                            <abp-column size="_1" class="px-1 remove-single-payment">  <abp-button style="float: right" onclick='removeApplicationPayment("@Model.PaymentGroupings[k].Items[i].Id" + "_container", @Model.PaymentGroupings[k].GroupId)' size="Small" icon-type="Other" class="m-0 p-0 remove-single-payment" icon="fa fa-times" data-parameter="@Model.PaymentGroupings[k].Items[i].CorrelationId" /></abp-column>
+                                        <input type="hidden" asp-for="@Model.PaymentGroupings[k].Items[i].PreviousL1Approver" />
+                                        <input type="hidden" asp-for="@Model.PaymentGroupings[k].Items[i].IsValid" />
+                                        <abp-row id=@($"{@Model.PaymentGroupings[k].Items[i].Id}_header") class=" m-0 p-2">
+                                            <abp-column size="_12" class="px-1 d-flex align-items-center">
+                                                <div class="w-100">
+                                                    <h6 class="single-payment-card-application-name fw-bold">
+                                                        @Model.PaymentGroupings[k].Items[i].ApplicantName (@Model.PaymentGroupings[k].Items[i].InvoiceNumber)
+                                                    </h6>
+                                                </div>
+                                                <div class="flex-shrink-1">
+                                                    <abp-button onclick='removeApplicationPayment("@Model.PaymentGroupings[k].Items[i].Id" + "_container", @Model.PaymentGroupings[k].GroupId)'
+                                                                size="Small" icon-type="Other" class="m-0 p-0 remove-single-payment" icon="fa fa-times"
+                                                                data-parameter="@Model.PaymentGroupings[k].Items[i].CorrelationId" />
+                                                </div>
+                                            </abp-column>
                                         </abp-row>
                                         <input type="hidden" asp-for="@Model.PaymentGroupings[k].Items[i].Id" />
                                         <input type="hidden" asp-for="@Model.IsApproval" />
@@ -81,24 +101,34 @@
                                     uniqueIndex++;
                                 }
 
-                                <abp-row class="m-0 p-3 payment-status-transition">
-                                    <abp-column size="_4" class="text-center">
-                                        @{
-                                            var fromStatusText = UpdatePaymentRequestStatus.GetStatusText(@Model.PaymentGroupings[k].Items[0].Status);
-                                            var fromStatusTextColor = UpdatePaymentRequestStatus.GetStatusTextColor(@Model.PaymentGroupings[k].Items[0].Status);
-                                        }
-                                        <b style="color:@fromStatusTextColor ">@fromStatusText</b>
-
-                                    </abp-column>
-                                    <abp-column size="_4" class="text-center">
-                                        <span class="fa fa-chevron-right fa-solid fa-bold payment-status-transition-arrow"></span> <span class="fa fa-chevron-right fa-solid fa-bold payment-status-transition-arrow"></span> <span class="fa fa-chevron-right fa-solid fa-bold payment-status-transition-arrow"></span>
-                                    </abp-column>
-                                    <abp-column size="_4" class="text-center">
-                                        @{
-                                            var toStatusText = UpdatePaymentRequestStatus.GetStatusText(@Model.PaymentGroupings[k].ToStatus);
-                                            var toStatusTextColor = UpdatePaymentRequestStatus.GetStatusTextColor(@Model.PaymentGroupings[k].ToStatus);
-                                        }
-                                        <b style="color:@toStatusTextColor">@toStatusText</b>
+                                <abp-row class="m-0 payment-status-transition">
+                                    <abp-column size="_12" class="d-flex align-items-center p-0 text-center">
+                                        <div class="flex-fill">
+                                            @{
+                                                var fromStatusText = UpdatePaymentRequestStatus.GetStatusText(@Model.PaymentGroupings[k].Items[0].Status);
+                                                var fromStatusTextColor = UpdatePaymentRequestStatus.GetStatusTextColor(@Model.PaymentGroupings[k].Items[0].Status);
+                                            }
+                                            <b style="color:@fromStatusTextColor ">@fromStatusText</b>
+                                        </div>
+                                        <div class="flex-fill">
+                                            @if (Model.PaymentGroupings[k].Items.Any(x => !x.IsValid))
+                                            {
+                                                <span class="fa fa-ban fa-solid payment-status-transition-ban"></span>
+                                            }
+                                            else
+                                            {
+                                                <span class="fa fa-chevron-right fa-solid payment-status-transition-arrow"></span>
+                                                <span class="fa fa-chevron-right fa-solid payment-status-transition-arrow"></span>
+                                                <span class="fa fa-chevron-right fa-solid payment-status-transition-arrow"></span>
+                                            }
+                                        </div>
+                                        <div class="flex-fill">
+                                            @{
+                                                var toStatusText = UpdatePaymentRequestStatus.GetStatusText(@Model.PaymentGroupings[k].ToStatus);
+                                                var toStatusTextColor = UpdatePaymentRequestStatus.GetStatusTextColor(@Model.PaymentGroupings[k].ToStatus);
+                                            }
+                                            <b style="color:@toStatusTextColor">@toStatusText</b>
+                                        </div>
                                     </abp-column>
                                 </abp-row>
                             </abp-container>
@@ -110,13 +140,16 @@
                             <abp-column size="_12" class="px-1"> <p>No Payments Selected</p></abp-column>
                         </abp-row>
                     }
-                    <abp-column size="_12" class=" m-0 p-3 payment-error-column">
-                        <span><b>Note: </b>Only payments in   @Model.FromStatusText status will appear in this list</span>
+                    <abp-column size="_12" class=" m-0 p-3 payment-error-column text-danger" abp-if="@(!ModelState.IsValid)">
+                        @if(ModelState.ContainsKey(nameof(PaymentsApprovalModel.PreviousL1Approver))
+                            && ModelState[nameof(PaymentsApprovalModel.PreviousL1Approver)]?.ValidationState == Microsoft.AspNetCore.Mvc.ModelBinding.ModelValidationState.Invalid)
+                        {
+                            <span>@L["ApplicationPaymentRequest:Validations:L2ApproverRestrictionBatch"]</span>
+                        }
                     </abp-column>
                     <abp-row class="m-0 p-2 no-payment-msg text-center" id="no-payment-msg" style="display: none;">
                         <abp-column size="_12" class="px-1"> <p>No Payments Selected</p></abp-column>
                     </abp-row>
-
                 </abp-card-body>
             </abp-card>
         </abp-modal-body>
@@ -134,6 +167,10 @@
     </abp-modal>
 </form>
 
+@section Scripts {
+    <partial name="_ValidationScriptsPartial" />
+}
+
 <script defer>
     (function () {
         if (window.jQuery) {