alberto-art3ch commented on PR #6133: URL: https://github.com/apache/fineract/pull/6133#issuecomment-4987661874
> This routes a sensitive flag change through Fineract's brand-new typed command framework instead of the legacy command-source pipeline every other WC command uses. > > `WorkingCapitalLoanApiResource.java`: > > ```java > // Permission code = <action>_<entity>. The new command framework does not enforce per-command permissions, > // so the mark-as-fraud endpoint checks it explicitly to keep parity with the legacy authorization model. > ``` > > Auth is handled explicitly here so that's fine, but I checked the framework's own docs (`fineract-doc/.../command/audit.adoc` is literally `TBD`, and `refactoring.adoc` says maker-checker "will be part of a separate proposal") - this command gets no audit trail and no maker-checker, unlike every other WC command in this whole epic which goes through the legacy pipeline and gets both for free. Marking a loan fraudulent seems exactly like the kind of action you'd want an audit trail on. Is it worth waiting for command-audit to land before routing this one through the new framework, or is that an accepted tradeoff? > > Minor: the PR also adds a full new `charge-off.adoc` doc chapter describing the general (non-WC) Loan Charge-Off feature. Reasonable context to set up the "Fraud Charge-Off" section, but it's documenting a whole pre-existing shared feature, not really "Working Capital loan mark as fraud" - could've been its own doc PR. PR updated to use legacy command handler -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
