WEB-844: Hamburguer menu grant-treasurer

[ansh-varshney]

JIRA TICKET: WEB-844

Description

Applications button in the client hamburger menu lacked permission guard on the parent trigger button. Child items inside had individual mifosxHasPermission checks, but the parent button always rendered when the client was active, regardless of the user's permissions. When RBAC is enabled, this causes the Applications button to appear even for roles that have none of the application creation permissions.

The treasurer role hamburger menu fix is complete.

Screenshots, if any

Checklist

Please make sure these boxes are checked before submitting your pull request - thanks!

• If you have multiple commits please combine them into one commit by squashing them.

• Read and understood the contribution guidelines at web-app/.github/CONTRIBUTING.md.

Summary by CodeRabbit

• New Features
  • Added permission-based access control to account application creation features, restricting access to authorized users only.

[coderabbitai]

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key(s) in object: 'pre_merge_checks'

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ee42fe90-69f7-4442-a878-9bcba9ada4fc

📥 Commits

Reviewing files that changed from the base of the PR and between 059b91e and 6da1751.

📒 Files selected for processing (1)

• src/app/clients/clients-view/clients-view.component.html

🚧 Files skipped from review as they are similar to previous changes (1)

• src/app/clients/clients-view/clients-view.component.html

---

Walkthrough

Added permission gating to account applications trigger buttons in the clients view component by applying the mifosxHasPermission directive with CREATE_* permissions to two button elements, restricting visibility based on user permissions.

Changes

Cohort / File(s)	Summary
Permission Gating for Account Applications src/app/clients/clients-view/clients-view.component.html	Added mifosxHasPermission directive with multiple CREATE_ permissions to two account applications trigger buttons (header-area and client menu), maintaining existing [matMenuTriggerFor]="accountApplications" functionality.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• WEB-812: Fix the WebApp to show/hide the Menus, Submenus and buttons as per the grants of each profile #3360: Main PR's changes directly rely on the multi-permission support for the has-permission directive introduced in this PR.
• WEB-575 Fix the web-app to show the menus and buttons create import delete edit as per the grants of each profile #3102: Both PRs implement RBAC-based permission gating by adding visibility checks to UI elements through the *mifosxHasPermission directive.

Suggested reviewers

• IOhacker

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'WEB-844: Hamburguer menu grant-treasurer' is related to the changeset but does not clearly describe the main technical change: adding permission guards to the Applications button.	Consider revising the title to more clearly describe the main change, such as 'Add permission guard to Applications menu button in client hamburger menu' or 'Fix Applications button visibility with RBAC permission checks'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/assets/env.js`:
- Line 103: The checked-in default hardcodes RBAC on by setting
window['env']['productionModeEnableRBAC'] = true; change this to a
backward-compatible default (false) and ensure RBAC is enabled only via
runtime/deployment injection (the env.template.js / injection path), i.e.,
update the default assignment for window['env']['productionModeEnableRBAC'] to
false and document or rely on the existing env template mechanism to flip it in
deployments.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 78c857b6-9ba7-47e3-8cfa-a5f64417f658

📥 Commits

Reviewing files that changed from the base of the PR and between a3139ae and 059b91e.

📒 Files selected for processing (2)

• src/app/clients/clients-view/clients-view.component.html
• src/assets/env.js

[IOhacker]

LGTM

[ansh-varshney]

Hi @IOhacker, kindly merge the pr if no issues.