Add permission check and audit logging

Author: akheron

frontend/src/lib-common/generated/action.d.ts

@@ -83,6 +83,7 @@ export type Global =
   | 'SEARCH_EMPLOYEES'
   | 'SEARCH_FEE_DECISIONS'
   | 'SEARCH_INVOICES'
+  | 'SEARCH_PAYMENTS'
   | 'SEARCH_PEOPLE'
   | 'SEARCH_PEOPLE_UNRESTRICTED'
   | 'SEARCH_VOUCHER_VALUE_DECISIONS'

service/src/main/kotlin/fi/espoo/evaka/Audit.kt

@@ -406,6 +406,7 @@ enum class Audit(
     PartnerShipsUpdate,
     PartnersInDifferentAddressReportRead,
     PatuReportSend,
+    PaymentsSearch,
     PaymentsConfirmDrafts,
     PaymentsCreate,
     PaymentsDeleteDrafts,

service/src/main/kotlin/fi/espoo/evaka/invoicing/controller/PaymentController.kt

@@ -33,9 +33,21 @@ class PaymentController(
     fun searchPayments(
         db: Database,
         user: AuthenticatedUser.Employee,
+        clock: EvakaClock,
         @RequestBody params: SearchPaymentsRequest,
     ): PagedPayments {
-        return db.connect { dbc -> dbc.read { tx -> tx.searchPayments(params) } }
+        return db.connect { dbc ->
+                dbc.read { tx ->
+                    accessControl.requirePermissionFor(
+                        tx,
+                        user,
+                        clock,
+                        Action.Global.SEARCH_PAYMENTS,
+                    )
+                    tx.searchPayments(params)
+                }
+            }
+            .also { Audit.PaymentsSearch.log(meta = mapOf("total" to it.total)) }
     }
 
     @PostMapping("/employee/payments/create-drafts")

service/src/main/kotlin/fi/espoo/evaka/shared/security/Action.kt

@@ -205,6 +205,7 @@ sealed interface Action {
         ),
         SEARCH_INVOICES(HasGlobalRole(ADMIN, FINANCE_ADMIN, FINANCE_STAFF)),
         CREATE_DRAFT_INVOICES(HasGlobalRole(ADMIN, FINANCE_ADMIN)),
+        SEARCH_PAYMENTS(HasGlobalRole(ADMIN, FINANCE_ADMIN)),
         CREATE_DRAFT_PAYMENTS(HasGlobalRole(ADMIN, FINANCE_ADMIN)),
         READ_ASSISTANCE_ACTION_OPTIONS(
             HasGlobalRole(