Merge pull request #962 from bigcapitalhq/feature/ahmedbouhuolia/add-permission-guards-to-credit-controllers

fix(server): add permission guards to credit note and vendor credit controllers

docker/migration/Dockerfile

@@ -35,4 +35,4 @@ WORKDIR /app/packages/server
 RUN git clone https://github.com/vishnubob/wait-for-it.git
 
 # Once we listen the mysql port run the migration task.
-CMD ./wait-for-it/wait-for-it.sh mysql:3306 -- sh -c "pnpm run system:migrate:latest && pnpm run tenants:migrate:latest"
+CMD ./wait-for-it/wait-for-it.sh mysql:3306 -- sh -c "node dist/cli.js system:migrate:latest && node dist/cli.js tenants:migrate:latest"

packages/server/Dockerfile

@@ -75,6 +75,9 @@ COPY --from=builder --chown=nodejs:nodejs /app/packages/server/src/i18n ./packag
 COPY --from=builder --chown=nodejs:nodejs /app/packages/server/public ./packages/server/public
 COPY --from=builder --chown=nodejs:nodejs /app/packages/server/static ./packages/server/static
 
+# Copy database migration files (needed for running migrations)
+COPY --from=builder --chown=nodejs:nodejs /app/packages/server/src/database ./packages/server/src/database
+
 # Copy built shared packages (dist folders and package.json for module resolution)
 COPY --from=builder --chown=nodejs:nodejs /app/shared/bigcapital-utils/dist ./shared/bigcapital-utils/dist
 COPY --from=builder --chown=nodejs:nodejs /app/shared/pdf-templates/dist ./shared/pdf-templates/dist

packages/server/nest-cli.json

@@ -2,10 +2,23 @@
   "$schema": "https://json.schemastore.org/nest-cli",
   "collection": "@nestjs/schematics",
   "sourceRoot": "src",
+  "entryFile": "main",
   "compilerOptions": {
     "deleteOutDir": true,
     "assets": [
-      { "include": "i18n/**/*", "watchAssets": true }
+      { "include": "i18n/**/*", "watchAssets": true },
+      { "include": "database/**/*", "exclude": "**/*.ts", "watchAssets": true }
     ]
+  },
+  "projects": {
+    "cli": {
+      "type": "application",
+      "root": "src",
+      "entryFile": "cli",
+      "sourceRoot": "src",
+      "compilerOptions": {
+        "tsConfigPath": "tsconfig.json"
+      }
+    }
   }
 }

packages/server/package.json

@@ -40,6 +40,9 @@
     "@lemonsqueezy/lemonsqueezy.js": "^2.2.0",
     "@liaoliaots/nestjs-redis": "^10.0.0",
     "@nest-lab/throttler-storage-redis": "^1.1.0",
+    "@bull-board/api": "^5.22.0",
+    "@bull-board/express": "^5.22.0",
+    "@bull-board/nestjs": "^5.22.0",
     "@nestjs/bull": "^10.2.1",
     "@nestjs/bullmq": "^10.2.2",
     "@nestjs/cache-manager": "^2.2.2",

packages/server/src/common/config/bull-board.ts

@@ -0,0 +1,8 @@
+import { registerAs } from '@nestjs/config';
+import { parseBoolean } from '@/utils/parse-boolean';
+
+export default registerAs('bullBoard', () => ({
+  enabled: parseBoolean<boolean>(process.env.BULL_BOARD_ENABLED, false),
+  username: process.env.BULL_BOARD_USERNAME,
+  password: process.env.BULL_BOARD_PASSWORD,
+}));

packages/server/src/common/config/index.ts

@@ -19,6 +19,7 @@ import throttle from './throttle';
 import cloud from './cloud';
 import redis from './redis';
 import queue from './queue';
+import bullBoard from './bull-board';
 
 export const config = [
   app,
@@ -42,4 +43,5 @@ export const config = [
   throttle,
   redis,
   queue,
+  bullBoard,
 ];

packages/server/src/common/config/s3.ts

@@ -6,4 +6,5 @@ export default registerAs('s3', () => ({
   secretAccessKey: process.env.S3_SECRET_ACCESS_KEY,
   endpoint: process.env.S3_ENDPOINT,
   bucket: process.env.S3_BUCKET,
+  forcePathStyle: process.env.S3_FORCE_PATH_STYLE === 'true',
 }));

packages/server/src/middleware/bull-board-auth.middleware.ts

@@ -0,0 +1,59 @@
+import { Request, Response, NextFunction } from 'express';
+
+/**
+ * Creates Express middleware for the Bull Board UI:
+ * - When disabled: responds with 404.
+ * - When enabled and username/password are set: enforces HTTP Basic Auth (401 if invalid).
+ * - When enabled and credentials are not set: allows access (no auth).
+ */
+export function createBullBoardAuthMiddleware(
+  enabled: boolean,
+  username: string | undefined,
+  password: string | undefined,
+): (req: Request, res: Response, next: NextFunction) => void {
+  return (req: Request, res: Response, next: NextFunction) => {
+    if (!enabled) {
+      res.status(404).send('Not Found');
+      return;
+    }
+
+    if (!username || !password) {
+      return next();
+    }
+
+    const authHeader = req.headers.authorization;
+    if (!authHeader || !authHeader.startsWith('Basic ')) {
+      res.setHeader('WWW-Authenticate', 'Basic realm="Bull Board"');
+      res.status(401).send('Authentication required');
+      return;
+    }
+
+    const base64Credentials = authHeader.slice(6);
+    let decoded: string;
+    try {
+      decoded = Buffer.from(base64Credentials, 'base64').toString('utf8');
+    } catch {
+      res.setHeader('WWW-Authenticate', 'Basic realm="Bull Board"');
+      res.status(401).send('Invalid credentials');
+      return;
+    }
+
+    const colonIndex = decoded.indexOf(':');
+    if (colonIndex === -1) {
+      res.setHeader('WWW-Authenticate', 'Basic realm="Bull Board"');
+      res.status(401).send('Invalid credentials');
+      return;
+    }
+
+    const reqUsername = decoded.slice(0, colonIndex);
+    const reqPassword = decoded.slice(colonIndex + 1);
+
+    if (reqUsername !== username || reqPassword !== password) {
+      res.setHeader('WWW-Authenticate', 'Basic realm="Bull Board"');
+      res.status(401).send('Invalid credentials');
+      return;
+    }
+
+    next();
+  };
+}

packages/server/src/modules/Accounts/Accounts.controller.ts

@@ -9,6 +9,7 @@ import {
   ParseIntPipe,
   Put,
   HttpCode,
+  UseGuards,
 } from '@nestjs/common';
 import { AccountsApplication } from './AccountsApplication.service';
 import { CreateAccountDTO } from './CreateAccount.dto';
@@ -32,6 +33,11 @@ import {
   BulkDeleteDto,
   ValidateBulkDeleteResponseDto,
 } from '@/common/dtos/BulkDelete.dto';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { AccountAction } from './Accounts.types';
 
 @Controller('accounts')
 @ApiTags('Accounts')
@@ -40,11 +46,13 @@ import {
 @ApiExtraModels(GetAccountTransactionResponseDto)
 @ApiExtraModels(ValidateBulkDeleteResponseDto)
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class AccountsController {
   constructor(private readonly accountsApplication: AccountsApplication) { }
 
   @Post('validate-bulk-delete')
   @HttpCode(200)
+  @RequirePermission(AccountAction.DELETE, AbilitySubject.Account)
   @ApiOperation({
     summary:
       'Validates which accounts can be deleted and returns counts of deletable and non-deletable accounts.',
@@ -67,6 +75,7 @@ export class AccountsController {
 
   @Post('bulk-delete')
   @HttpCode(200)
+  @RequirePermission(AccountAction.DELETE, AbilitySubject.Account)
   @ApiOperation({ summary: 'Deletes multiple accounts in bulk.' })
   @ApiResponse({
     status: 200,
@@ -81,6 +90,7 @@ export class AccountsController {
   }
 
   @Post()
+  @RequirePermission(AccountAction.CREATE, AbilitySubject.Account)
   @ApiOperation({ summary: 'Create an account' })
   @ApiResponse({
     status: 200,
@@ -91,6 +101,7 @@ export class AccountsController {
   }
 
   @Put(':id')
+  @RequirePermission(AccountAction.EDIT, AbilitySubject.Account)
   @ApiOperation({ summary: 'Edit the given account.' })
   @ApiResponse({
     status: 200,
@@ -111,6 +122,7 @@ export class AccountsController {
   }
 
   @Delete(':id')
+  @RequirePermission(AccountAction.DELETE, AbilitySubject.Account)
   @ApiOperation({ summary: 'Delete the given account.' })
   @ApiResponse({
     status: 200,
@@ -129,6 +141,7 @@ export class AccountsController {
 
   @Post(':id/activate')
   @HttpCode(200)
+  @RequirePermission(AccountAction.EDIT, AbilitySubject.Account)
   @ApiOperation({ summary: 'Activate the given account.' })
   @ApiResponse({
     status: 200,
@@ -147,6 +160,7 @@ export class AccountsController {
 
   @Post(':id/inactivate')
   @HttpCode(200)
+  @RequirePermission(AccountAction.EDIT, AbilitySubject.Account)
   @ApiOperation({ summary: 'Inactivate the given account.' })
   @ApiResponse({
     status: 200,
@@ -164,6 +178,7 @@ export class AccountsController {
   }
 
   @Get('types')
+  @RequirePermission(AccountAction.VIEW, AbilitySubject.Account)
   @ApiOperation({ summary: 'Retrieves the account types.' })
   @ApiResponse({
     status: 200,
@@ -180,6 +195,7 @@ export class AccountsController {
   }
 
   @Get('transactions')
+  @RequirePermission(AccountAction.VIEW, AbilitySubject.Account)
   @ApiOperation({ summary: 'Retrieves the account transactions.' })
   @ApiResponse({
     status: 200,
@@ -198,6 +214,7 @@ export class AccountsController {
   }
 
   @Get(':id')
+  @RequirePermission(AccountAction.VIEW, AbilitySubject.Account)
   @ApiOperation({ summary: 'Retrieves the account details.' })
   @ApiResponse({
     status: 200,
@@ -216,6 +233,7 @@ export class AccountsController {
   }
 
   @Get()
+  @RequirePermission(AccountAction.VIEW, AbilitySubject.Account)
   @ApiOperation({ summary: 'Retrieves the accounts.' })
   @ApiResponse({
     status: 200,

packages/server/src/modules/App/App.module.ts

@@ -12,6 +12,9 @@ import {
   I18nModule,
   QueryResolver,
 } from 'nestjs-i18n';
+import { BullBoardModule } from '@bull-board/nestjs';
+import { ExpressAdapter } from '@bull-board/express';
+import { createBullBoardAuthMiddleware } from '@/middleware/bull-board-auth.middleware';
 import { BullModule } from '@nestjs/bullmq';
 import { ScheduleModule } from '@nestjs/schedule';
 import { PassportModule } from '@nestjs/passport';
@@ -143,6 +146,24 @@ import { AppThrottleModule } from './AppThrottle.module';
       }),
       inject: [ConfigService],
     }),
+    BullBoardModule.forRootAsync({
+      imports: [ConfigModule],
+      useFactory: (configService: ConfigService) => {
+        const enabled = configService.get<boolean>('bullBoard.enabled');
+        const username = configService.get<string>('bullBoard.username');
+        const password = configService.get<string>('bullBoard.password');
+        return {
+          route: '/queues',
+          adapter: ExpressAdapter,
+          middleware: createBullBoardAuthMiddleware(
+            enabled,
+            username,
+            password,
+          ),
+        };
+      },
+      inject: [ConfigService],
+    }),
     ClsModule.forRoot({
       global: true,
       middleware: {

packages/server/src/modules/Auth/Auth.module.ts

@@ -17,6 +17,8 @@ import { PassportModule } from '@nestjs/passport';
 import { APP_GUARD } from '@nestjs/core';
 import { JwtAuthGuard } from './guards/jwt.guard';
 import { AuthMailSubscriber } from './subscribers/AuthMail.subscriber';
+import { BullBoardModule } from '@bull-board/nestjs';
+import { BullMQAdapter } from '@bull-board/api/bullMQAdapter';
 import { BullModule } from '@nestjs/bullmq';
 import {
   SendResetPasswordMailQueue,
@@ -63,6 +65,14 @@ const models = [
     TenancyModule,
     BullModule.registerQueue({ name: SendResetPasswordMailQueue }),
     BullModule.registerQueue({ name: SendSignupVerificationMailQueue }),
+    BullBoardModule.forFeature({
+      name: SendResetPasswordMailQueue,
+      adapter: BullMQAdapter,
+    }),
+    BullBoardModule.forFeature({
+      name: SendSignupVerificationMailQueue,
+      adapter: BullMQAdapter,
+    }),
   ],
   exports: [...models],
   providers: [
@@ -98,4 +108,4 @@ const models = [
     AuthMailSubscriber,
   ],
 })
-export class AuthModule { }
+export class AuthModule {}

packages/server/src/modules/Auth/processors/SendResetPasswordMail.processor.ts

@@ -1,10 +1,6 @@
 import { Processor, WorkerHost } from '@nestjs/bullmq';
 import { Scope } from '@nestjs/common';
-import {
-  SendResetPasswordMailJob,
-  SendResetPasswordMailQueue,
-} from '../Auth.constants';
-import { Process } from '@nestjs/bull';
+import { SendResetPasswordMailQueue } from '../Auth.constants';
 import { Job } from 'bullmq';
 import { AuthenticationMailMesssages } from '../AuthMailMessages.esrvice';
 import { MailTransporter } from '@/modules/Mail/MailTransporter.service';
@@ -23,7 +19,6 @@ export class SendResetPasswordMailProcessor extends WorkerHost {
     super();
   }
 
-  @Process(SendResetPasswordMailJob)
   async process(job: Job<SendResetPasswordMailJobPayload>) {
     try {
       await this.authMailMesssages.sendResetPasswordMail(

packages/server/src/modules/Auth/processors/SendSignupVerificationMail.processor.ts

@@ -1,11 +1,7 @@
 import { Scope } from '@nestjs/common';
 import { Job } from 'bullmq';
-import { Process } from '@nestjs/bull';
 import { Processor, WorkerHost } from '@nestjs/bullmq';
-import {
-  SendSignupVerificationMailJob,
-  SendSignupVerificationMailQueue,
-} from '../Auth.constants';
+import { SendSignupVerificationMailQueue } from '../Auth.constants';
 import { MailTransporter } from '@/modules/Mail/MailTransporter.service';
 import { AuthenticationMailMesssages } from '../AuthMailMessages.esrvice';
 
@@ -21,7 +17,6 @@ export class SendSignupVerificationMailProcessor extends WorkerHost {
     super();
   }
 
-  @Process(SendSignupVerificationMailJob)
   async process(job: Job<SendSignupVerificationMailJobPayload>) {
     try {
       await this.authMailMesssages.sendSignupVerificationMail(

packages/server/src/modules/BankRules/dtos/BankRule.dto.ts

@@ -16,7 +16,7 @@ import { ToNumber } from '@/common/decorators/Validators';
 
 class BankRuleConditionDto {
   @IsNotEmpty()
-  @IsIn(['description', 'amount'])
+  @IsIn(['description', 'amount', 'payee'])
   field: string;
 
   @IsNotEmpty()

packages/server/src/modules/BankingPlaid/BankingPlaid.module.ts

@@ -1,3 +1,5 @@
+import { BullBoardModule } from '@bull-board/nestjs';
+import { BullMQAdapter } from '@bull-board/api/bullMQAdapter';
 import { BullModule } from '@nestjs/bullmq';
 import { Module } from '@nestjs/common';
 import { SocketModule } from '../Socket/Socket.module';
@@ -33,6 +35,10 @@ const models = [RegisterTenancyModel(PlaidItem)];
     BankingCategorizeModule,
     BankingTransactionsModule,
     BullModule.registerQueue({ name: UpdateBankingPlaidTransitionsQueueJob }),
+    BullBoardModule.forFeature({
+      name: UpdateBankingPlaidTransitionsQueueJob,
+      adapter: BullMQAdapter,
+    }),
     ...models,
   ],
   providers: [
@@ -51,4 +57,4 @@ const models = [RegisterTenancyModel(PlaidItem)];
   exports: [...models],
   controllers: [BankingPlaidController, BankingPlaidWebhooksController],
 })
-export class BankingPlaidModule { }
+export class BankingPlaidModule {}

packages/server/src/modules/BankingPlaid/jobs/PlaidFetchTransactionsJob.ts

@@ -1,11 +1,9 @@
-import { Process } from '@nestjs/bull';
 import { UseCls } from 'nestjs-cls';
 import { Processor, WorkerHost } from '@nestjs/bullmq';
 import { Scope } from '@nestjs/common';
 import { Job } from 'bullmq';
 import {
   PlaidFetchTransitonsEventPayload,
-  UpdateBankingPlaidTransitionsJob,
   UpdateBankingPlaidTransitionsQueueJob,
 } from '../types/BankingPlaid.types';
 import { PlaidUpdateTransactions } from '../command/PlaidUpdateTransactions';
@@ -28,7 +26,6 @@ export class PlaidFetchTransactionsProcessor extends WorkerHost {
   /**
    * Triggers the function.
    */
-  @Process(UpdateBankingPlaidTransitionsJob)
   @UseCls()
   async process(job: Job<PlaidFetchTransitonsEventPayload>) {
     const { plaidItemId } = job.data;

packages/server/src/modules/BankingTranasctionsRegonize/BankingTransactionsRegonize.module.ts

@@ -10,6 +10,8 @@ import { BankingRecognizedTransactionsController } from './BankingRecognizedTran
 import { RecognizedTransactionsApplication } from './RecognizedTransactions.application';
 import { GetRecognizedTransactionsService } from './GetRecongizedTransactions';
 import { GetRecognizedTransactionService } from './queries/GetRecognizedTransaction.service';
+import { BullBoardModule } from '@bull-board/nestjs';
+import { BullMQAdapter } from '@bull-board/api/bullMQAdapter';
 import { BullModule } from '@nestjs/bullmq';
 import { RecognizeUncategorizedTransactionsQueue } from './_types';
 import { RegonizeTransactionsPrcessor } from './jobs/RecognizeTransactionsJob';
@@ -25,6 +27,10 @@ const models = [RegisterTenancyModel(RecognizedBankTransaction)];
     BullModule.registerQueue({
       name: RecognizeUncategorizedTransactionsQueue,
     }),
+    BullBoardModule.forFeature({
+      name: RecognizeUncategorizedTransactionsQueue,
+      adapter: BullMQAdapter,
+    }),
     ...models,
   ],
   providers: [

packages/server/src/modules/BankingTranasctionsRegonize/_types.ts

@@ -15,8 +15,13 @@ export const RecognizeUncategorizedTransactionsJob =
 export const RecognizeUncategorizedTransactionsQueue =
   'recognize-uncategorized-transactions-queue';
 
-
 export interface RecognizeUncategorizedTransactionsJobPayload extends TenantJobPayload {
   ruleId: number,
-  transactionsCriteria: any;
+  transactionsCriteria?: RecognizeTransactionsCriteria;
+  /**
+   * When true, first reverts recognized transactions before recognizing again.
+   * Used when a bank rule is edited to ensure transactions previously recognized
+   * by lower-priority rules are re-evaluated against the updated rule.
+   */
+  shouldRevert?: boolean;
 }

packages/server/src/modules/BankingTranasctionsRegonize/commands/RecognizeTranasctions.service.ts

@@ -93,6 +93,10 @@ export class RecognizeTranasctionsService {
           q.whereIn('id', rulesIds);
         }
         q.withGraphFetched('conditions');
+
+        // Order by the 'order' field to ensure higher priority rules (lower order values)
+        // are matched first.
+        q.orderBy('order', 'asc');
       });
 
     const bankRulesByAccountId = transformToMapBy(

packages/server/src/modules/BankingTranasctionsRegonize/events/TriggerRecognizedTransactions.ts

@@ -69,10 +69,13 @@ export class TriggerRecognizedTransactionsSubscriber {
     const tenantPayload = await this.tenancyContect.getTenantJobPayload();
     const payload = {
       ruleId: bankRule.id,
+      shouldRevert: true,
       ...tenantPayload,
     } as RecognizeUncategorizedTransactionsJobPayload;
 
     // Re-recognize the transactions based on the new rules.
+    // Setting shouldRevert to true ensures that transactions previously recognized
+    // by this or lower-priority rules are re-evaluated against the updated rule.
     await this.recognizeTransactionsQueue.add(
       RecognizeUncategorizedTransactionsJob,
       payload,

packages/server/src/modules/BankingTranasctionsRegonize/jobs/RecognizeTransactionsJob.ts

@@ -3,11 +3,11 @@ import { Processor, WorkerHost } from '@nestjs/bullmq';
 import { Scope } from '@nestjs/common';
 import { ClsService, UseCls } from 'nestjs-cls';
 import { RecognizeTranasctionsService } from '../commands/RecognizeTranasctions.service';
+import { RevertRecognizedTransactionsService } from '../commands/RevertRecognizedTransactions.service';
 import {
   RecognizeUncategorizedTransactionsJobPayload,
   RecognizeUncategorizedTransactionsQueue,
 } from '../_types';
-import { Process } from '@nestjs/bull';
 
 @Processor({
   name: RecognizeUncategorizedTransactionsQueue,
@@ -16,10 +16,12 @@ import { Process } from '@nestjs/bull';
 export class RegonizeTransactionsPrcessor extends WorkerHost {
   /**
    * @param {RecognizeTranasctionsService} recognizeTranasctionsService -
+   * @param {RevertRecognizedTransactionsService} revertRecognizedTransactionsService -
    * @param {ClsService} clsService -
    */
   constructor(
     private readonly recognizeTranasctionsService: RecognizeTranasctionsService,
+    private readonly revertRecognizedTransactionsService: RevertRecognizedTransactionsService,
     private readonly clsService: ClsService,
   ) {
     super();
@@ -28,15 +30,23 @@ export class RegonizeTransactionsPrcessor extends WorkerHost {
   /**
    * Triggers sending invoice mail.
    */
-  @Process(RecognizeUncategorizedTransactionsQueue)
   @UseCls()
   async process(job: Job<RecognizeUncategorizedTransactionsJobPayload>) {
-    const { ruleId, transactionsCriteria } = job.data;
+    const { ruleId, transactionsCriteria, shouldRevert } = job.data;
 
     this.clsService.set('organizationId', job.data.organizationId);
     this.clsService.set('userId', job.data.userId);
 
     try {
+      // If shouldRevert is true, first revert recognized transactions before re-recognizing.
+      // This is used when a bank rule is edited to ensure transactions previously recognized
+      // by lower-priority rules are re-evaluated against the updated rule.
+      if (shouldRevert) {
+        await this.revertRecognizedTransactionsService.revertRecognizedTransactions(
+          ruleId,
+          transactionsCriteria,
+        );
+      }
       await this.recognizeTranasctionsService.recognizeTransactions(
         ruleId,
         transactionsCriteria,

packages/server/src/modules/BillPayments/BillPayments.controller.ts

@@ -7,6 +7,7 @@ import {
   Post,
   Put,
   Query,
+  UseGuards,
 } from '@nestjs/common';
 import { BillPaymentsApplication } from './BillPaymentsApplication.service';
 import {
@@ -26,12 +27,18 @@ import { BillPaymentsPages } from './commands/BillPaymentsPages.service';
 import { BillPaymentResponseDto } from './dtos/BillPaymentResponse.dto';
 import { PaginatedResponseDto } from '@/common/dtos/PaginatedResults.dto';
 import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { IPaymentMadeAction } from './types/BillPayments.types';
 
 @Controller('bill-payments')
 @ApiTags('Bill Payments')
 @ApiExtraModels(BillPaymentResponseDto)
 @ApiExtraModels(PaginatedResponseDto)
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class BillPaymentsController {
   constructor(
     private billPaymentsApplication: BillPaymentsApplication,
@@ -39,12 +46,14 @@ export class BillPaymentsController {
   ) {}
 
   @Post()
+  @RequirePermission(IPaymentMadeAction.Create, AbilitySubject.PaymentMade)
   @ApiOperation({ summary: 'Create a new bill payment.' })
   public createBillPayment(@Body() billPaymentDTO: CreateBillPaymentDto) {
     return this.billPaymentsApplication.createBillPayment(billPaymentDTO);
   }
 
   @Delete(':billPaymentId')
+  @RequirePermission(IPaymentMadeAction.Delete, AbilitySubject.PaymentMade)
   @ApiOperation({ summary: 'Delete the given bill payment.' })
   @ApiParam({
     name: 'billPaymentId',
@@ -59,6 +68,7 @@ export class BillPaymentsController {
   }
 
   @Put(':billPaymentId')
+  @RequirePermission(IPaymentMadeAction.Edit, AbilitySubject.PaymentMade)
   @ApiOperation({ summary: 'Edit the given bill payment.' })
   @ApiParam({
     name: 'billPaymentId',
@@ -77,6 +87,7 @@ export class BillPaymentsController {
   }
 
   @Get('/new-page/entries')
+  @RequirePermission(IPaymentMadeAction.View, AbilitySubject.PaymentMade)
   @ApiOperation({
     summary:
       'Retrieves the payable entries of the new page once vendor be selected.',
@@ -95,6 +106,7 @@ export class BillPaymentsController {
   }
 
   @Get(':billPaymentId/bills')
+  @RequirePermission(IPaymentMadeAction.View, AbilitySubject.PaymentMade)
   @ApiOperation({ summary: 'Retrieves the bills of the given bill payment.' })
   @ApiParam({
     name: 'billPaymentId',
@@ -107,6 +119,7 @@ export class BillPaymentsController {
   }
 
   @Get('/:billPaymentId/edit-page')
+  @RequirePermission(IPaymentMadeAction.View, AbilitySubject.PaymentMade)
   @ApiOperation({
     summary: 'Retrieves the edit page of the given bill payment.',
   })
@@ -126,6 +139,7 @@ export class BillPaymentsController {
   }
 
   @Get(':billPaymentId')
+  @RequirePermission(IPaymentMadeAction.View, AbilitySubject.PaymentMade)
   @ApiOperation({ summary: 'Retrieves the bill payment details.' })
   @ApiResponse({
     status: 200,
@@ -145,6 +159,7 @@ export class BillPaymentsController {
   }
 
   @Get()
+  @RequirePermission(IPaymentMadeAction.View, AbilitySubject.PaymentMade)
   @ApiOperation({ summary: 'Retrieves the bill payments list.' })
   @ApiResponse({
     status: 200,

packages/server/src/modules/Bills/Bills.controller.ts

@@ -17,6 +17,7 @@ import {
   Get,
   Query,
   HttpCode,
+  UseGuards,
 } from '@nestjs/common';
 import { BillsApplication } from './Bills.application';
 import { IBillsFilter } from './Bills.types';
@@ -28,6 +29,11 @@ import {
   BulkDeleteDto,
   ValidateBulkDeleteResponseDto,
 } from '@/common/dtos/BulkDelete.dto';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { BillAction } from './Bills.types';
 
 @Controller('bills')
 @ApiTags('Bills')
@@ -35,10 +41,12 @@ import {
 @ApiExtraModels(PaginatedResponseDto)
 @ApiCommonHeaders()
 @ApiExtraModels(ValidateBulkDeleteResponseDto)
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class BillsController {
   constructor(private billsApplication: BillsApplication) { }
 
   @Post('validate-bulk-delete')
+  @RequirePermission(BillAction.Delete, AbilitySubject.Bill)
   @ApiOperation({
     summary: 'Validate which bills can be deleted and return the results.',
   })
@@ -58,6 +66,7 @@ export class BillsController {
   }
 
   @Post('bulk-delete')
+  @RequirePermission(BillAction.Delete, AbilitySubject.Bill)
   @ApiOperation({ summary: 'Deletes multiple bills.' })
   @HttpCode(200)
   @ApiResponse({
@@ -73,12 +82,14 @@ export class BillsController {
   }
 
   @Post()
+  @RequirePermission(BillAction.Create, AbilitySubject.Bill)
   @ApiOperation({ summary: 'Create a new bill.' })
   createBill(@Body() billDTO: CreateBillDto) {
     return this.billsApplication.createBill(billDTO);
   }
 
   @Put(':id')
+  @RequirePermission(BillAction.Edit, AbilitySubject.Bill)
   @ApiOperation({ summary: 'Edit the given bill.' })
   @ApiParam({
     name: 'id',
@@ -91,6 +102,7 @@ export class BillsController {
   }
 
   @Delete(':id')
+  @RequirePermission(BillAction.Delete, AbilitySubject.Bill)
   @ApiOperation({ summary: 'Delete the given bill.' })
   @ApiParam({
     name: 'id',
@@ -103,6 +115,7 @@ export class BillsController {
   }
 
   @Get()
+  @RequirePermission(BillAction.View, AbilitySubject.Bill)
   @ApiOperation({ summary: 'Retrieves the bills.' })
   @ApiResponse({
     status: 200,
@@ -132,6 +145,7 @@ export class BillsController {
   }
 
   @Get(':id/payment-transactions')
+  @RequirePermission(BillAction.View, AbilitySubject.Bill)
   @ApiOperation({
     summary: 'Retrieve the specific bill associated payment transactions.',
   })
@@ -146,6 +160,7 @@ export class BillsController {
   }
 
   @Get(':id')
+  @RequirePermission(BillAction.View, AbilitySubject.Bill)
   @ApiOperation({ summary: 'Retrieves the bill details.' })
   @ApiResponse({
     status: 200,
@@ -165,6 +180,7 @@ export class BillsController {
   }
 
   @Patch(':id/open')
+  @RequirePermission(BillAction.Edit, AbilitySubject.Bill)
   @ApiOperation({ summary: 'Open the given bill.' })
   @ApiParam({
     name: 'id',
@@ -177,6 +193,7 @@ export class BillsController {
   }
 
   @Get('due')
+  @RequirePermission(BillAction.View, AbilitySubject.Bill)
   @ApiOperation({ summary: 'Retrieves the due bills.' })
   getDueBills(@Body('vendorId') vendorId?: number) {
     return this.billsApplication.getDueBills(vendorId);

packages/server/src/modules/Bills/dtos/BillResponse.dto.ts

@@ -1,6 +1,8 @@
 import { ApiProperty } from '@nestjs/swagger';
+import { Type } from 'class-transformer';
 import { ItemEntryDto } from '@/modules/TransactionItemEntry/dto/ItemEntry.dto';
 import { AttachmentLinkDto } from '@/modules/Attachments/dtos/Attachment.dto';
+import { BranchResponseDto } from '@/modules/Branches/dtos/BranchResponse.dto';
 import { DiscountType } from '@/common/types/Discount';
 
 export class BillResponseDto {
@@ -89,6 +91,14 @@ export class BillResponseDto {
   })
   branchId?: number;
 
+  @ApiProperty({
+    description: 'Branch details',
+    type: () => BranchResponseDto,
+    required: false,
+  })
+  @Type(() => BranchResponseDto)
+  branch?: BranchResponseDto;
+
   @ApiProperty({
     description: 'The ID of the project',
     example: 301,

packages/server/src/modules/Bills/queries/Bill.transformer.ts

@@ -30,6 +30,7 @@ export class BillTransformer extends Transformer {
       'taxes',
       'entries',
       'attachments',
+      'branch',
     ];
   };
 

packages/server/src/modules/Branches/Branches.module.ts

@@ -31,6 +31,12 @@ import { ValidateBranchExistance } from './integrations/ValidateBranchExistance'
 import { ManualJournalBranchesValidator } from './integrations/ManualJournals/ManualJournalsBranchesValidator';
 import { CashflowTransactionsActivateBranches } from './integrations/Cashflow/CashflowActivateBranches';
 import { ExpensesActivateBranches } from './integrations/Expense/ExpensesActivateBranches';
+import { BillActivateBranches } from './integrations/Purchases/BillBranchesActivate';
+import { VendorCreditActivateBranches } from './integrations/Purchases/VendorCreditBranchesActivate';
+import { BillPaymentsActivateBranches } from './integrations/Purchases/PaymentMadeBranchesActivate';
+import { BillBranchesActivateSubscriber } from './subscribers/Activate/BillBranchesActivateSubscriber';
+import { VendorCreditBranchesActivateSubscriber } from './subscribers/Activate/VendorCreditBranchesActivateSubscriber';
+import { PaymentMadeActivateBranchesSubscriber } from './subscribers/Activate/PaymentMadeBranchesActivateSubscriber';
 import { FeaturesModule } from '../Features/Features.module';
 
 @Module({
@@ -66,7 +72,13 @@ import { FeaturesModule } from '../Features/Features.module';
     ValidateBranchExistance,
     ManualJournalBranchesValidator,
     CashflowTransactionsActivateBranches,
-    ExpensesActivateBranches
+    ExpensesActivateBranches,
+    BillActivateBranches,
+    VendorCreditActivateBranches,
+    BillPaymentsActivateBranches,
+    BillBranchesActivateSubscriber,
+    VendorCreditBranchesActivateSubscriber,
+    PaymentMadeActivateBranchesSubscriber
   ],
   exports: [
     BranchesSettingsService,

packages/server/src/modules/Branches/integrations/Purchases/BillBranchesActivate.ts

@@ -1,11 +1,14 @@
 import { Knex } from 'knex';
-import { Injectable } from '@nestjs/common';
+import { Inject, Injectable } from '@nestjs/common';
 import { TenantModelProxy } from '@/modules/System/models/TenantBaseModel';
 import { Bill } from '@/modules/Bills/models/Bill';
 
 @Injectable()
 export class BillActivateBranches {
-  constructor(private readonly billModel: TenantModelProxy<typeof Bill>) {}
+  constructor(
+    @Inject(Bill.name)
+    private readonly billModel: TenantModelProxy<typeof Bill>,
+  ) {}
 
   /**
    * Updates all bills transactions with the primary branch.
@@ -17,7 +20,7 @@ export class BillActivateBranches {
     primaryBranchId: number,
     trx?: Knex.Transaction,
   ) => {
-    // Updates the sale invoice with primary branch.
-    await Bill.query(trx).update({ branchId: primaryBranchId });
+    // Updates the bills with primary branch.
+    await this.billModel().query(trx).update({ branchId: primaryBranchId });
   };
 }

packages/server/src/modules/Branches/integrations/Purchases/PaymentMadeBranchesActivate.ts

@@ -1,11 +1,12 @@
 import { Knex } from 'knex';
+import { Inject, Injectable } from '@nestjs/common';
 import { TenantModelProxy } from '@/modules/System/models/TenantBaseModel';
 import { BillPayment } from '@/modules/BillPayments/models/BillPayment';
-import { Injectable } from '@nestjs/common';
 
 @Injectable()
 export class BillPaymentsActivateBranches {
   constructor(
+    @Inject(BillPayment.name)
     private readonly billPaymentModel: TenantModelProxy<typeof BillPayment>,
   ) {}
 

packages/server/src/modules/Branches/integrations/Purchases/VendorCreditBranchesActivate.ts

@@ -1,11 +1,12 @@
 import { Knex } from 'knex';
-import { Injectable } from '@nestjs/common';
+import { Inject, Injectable } from '@nestjs/common';
 import { TenantModelProxy } from '@/modules/System/models/TenantBaseModel';
 import { VendorCredit } from '@/modules/VendorCredit/models/VendorCredit';
 
 @Injectable()
 export class VendorCreditActivateBranches {
   constructor(
+    @Inject(VendorCredit.name)
     private readonly vendorCreditModel: TenantModelProxy<typeof VendorCredit>,
   ) {}
 

packages/server/src/modules/Branches/subscribers/Activate/BillBranchesActivateSubscriber.ts

@@ -0,0 +1,28 @@
+import { IBranchesActivatedPayload } from '../../Branches.types';
+import { events } from '@/common/events/events';
+import { Injectable } from '@nestjs/common';
+import { BillActivateBranches } from '../../integrations/Purchases/BillBranchesActivate';
+import { OnEvent } from '@nestjs/event-emitter';
+
+@Injectable()
+export class BillBranchesActivateSubscriber {
+  constructor(
+    private readonly billActivateBranches: BillActivateBranches,
+  ) { }
+
+  /**
+   * Updates bills transactions with the primary branch once
+   * the multi-branches is activated.
+   * @param {IBranchesActivatedPayload}
+   */
+  @OnEvent(events.branch.onActivated)
+  async updateBillsWithBranchOnActivated({
+    primaryBranch,
+    trx,
+  }: IBranchesActivatedPayload) {
+    await this.billActivateBranches.updateBillsWithBranch(
+      primaryBranch.id,
+      trx,
+    );
+  }
+}

packages/server/src/modules/Branches/subscribers/Activate/VendorCreditBranchesActivateSubscriber.ts

@@ -0,0 +1,28 @@
+import { IBranchesActivatedPayload } from '../../Branches.types';
+import { events } from '@/common/events/events';
+import { Injectable } from '@nestjs/common';
+import { VendorCreditActivateBranches } from '../../integrations/Purchases/VendorCreditBranchesActivate';
+import { OnEvent } from '@nestjs/event-emitter';
+
+@Injectable()
+export class VendorCreditBranchesActivateSubscriber {
+  constructor(
+    private readonly vendorCreditActivateBranches: VendorCreditActivateBranches,
+  ) { }
+
+  /**
+   * Updates vendor credits transactions with the primary branch once
+   * the multi-branches is activated.
+   * @param {IBranchesActivatedPayload}
+   */
+  @OnEvent(events.branch.onActivated)
+  async updateVendorCreditsWithBranchOnActivated({
+    primaryBranch,
+    trx,
+  }: IBranchesActivatedPayload) {
+    await this.vendorCreditActivateBranches.updateVendorCreditsWithBranch(
+      primaryBranch.id,
+      trx,
+    );
+  }
+}

packages/server/src/modules/CLI/commands/BaseCommand.ts

@@ -22,6 +22,7 @@ export abstract class BaseCommand extends CommandRunner {
       },
       migrations: {
         directory: this.configService.get('systemDatabase.migrationDir'),
+        loadExtensions: ['.js'],
       },
       seeds: {
         directory: this.configService.get('systemDatabase.seedsDir'),
@@ -43,6 +44,7 @@ export abstract class BaseCommand extends CommandRunner {
       },
       migrations: {
         directory: this.configService.get('tenantDatabase.migrationsDir') || './src/database/migrations',
+        loadExtensions: ['.js'],
       },
       seeds: {
         directory: this.configService.get('tenantDatabase.seedsDir') || './src/database/seeds/core',

packages/server/src/modules/CreditNoteRefunds/CreditNoteRefunds.controller.ts

@@ -1,20 +1,35 @@
 import { ApiOperation, ApiTags } from '@nestjs/swagger';
-import { Body, Controller, Delete, Get, Param, Post } from '@nestjs/common';
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Param,
+  Post,
+  UseGuards,
+} from '@nestjs/common';
 import { ICreditNoteRefundDTO } from '../CreditNotes/types/CreditNotes.types';
 import { CreditNotesRefundsApplication } from './CreditNotesRefundsApplication.service';
 import { RefundCreditNote } from './models/RefundCreditNote';
 import { CreditNoteRefundDto } from './dto/CreditNoteRefund.dto';
 import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { CreditNoteAction } from '../CreditNotes/types/CreditNotes.types';
 
 @Controller('credit-notes')
 @ApiTags('Credit Note Refunds')
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class CreditNoteRefundsController {
   constructor(
     private readonly creditNotesRefundsApplication: CreditNotesRefundsApplication,
   ) {}
 
   @Get(':creditNoteId/refunds')
+  @RequirePermission(CreditNoteAction.View, AbilitySubject.CreditNote)
   @ApiOperation({ summary: 'Retrieve the credit note graph.' })
   getCreditNoteRefunds(@Param('creditNoteId') creditNoteId: number) {
     return this.creditNotesRefundsApplication.getCreditNoteRefunds(
@@ -29,6 +44,7 @@ export class CreditNoteRefundsController {
    * @returns {Promise<RefundCreditNote>}
    */
   @Post(':creditNoteId/refunds')
+  @RequirePermission(CreditNoteAction.Refund, AbilitySubject.CreditNote)
   @ApiOperation({ summary: 'Create a refund for the given credit note.' })
   createRefundCreditNote(
     @Param('creditNoteId') creditNoteId: number,
@@ -46,6 +62,7 @@ export class CreditNoteRefundsController {
    * @returns {Promise<void>}
    */
   @Delete('refunds/:refundCreditId')
+  @RequirePermission(CreditNoteAction.Refund, AbilitySubject.CreditNote)
   @ApiOperation({ summary: 'Delete a refund for the given credit note.' })
   deleteRefundCreditNote(
     @Param('refundCreditId') refundCreditId: number,

packages/server/src/modules/CreditNotes/CreditNotes.controller.ts

@@ -18,6 +18,7 @@ import {
   Put,
   Query,
   Res,
+  UseGuards,
 } from '@nestjs/common';
 import { CreditNoteApplication } from './CreditNoteApplication.service';
 import { ICreditNotesQueryDTO } from './types/CreditNotes.types';
@@ -30,6 +31,11 @@ import {
   ValidateBulkDeleteResponseDto,
 } from '@/common/dtos/BulkDelete.dto';
 import { AcceptType } from '@/constants/accept-type';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { CreditNoteAction } from './types/CreditNotes.types';
 
 @Controller('credit-notes')
 @ApiTags('Credit Notes')
@@ -37,6 +43,7 @@ import { AcceptType } from '@/constants/accept-type';
 @ApiExtraModels(PaginatedResponseDto)
 @ApiExtraModels(ValidateBulkDeleteResponseDto)
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class CreditNotesController {
   /**
    * @param {CreditNoteApplication} creditNoteApplication - The credit note application service.
@@ -44,6 +51,7 @@ export class CreditNotesController {
   constructor(private creditNoteApplication: CreditNoteApplication) { }
 
   @Post()
+  @RequirePermission(CreditNoteAction.Create, AbilitySubject.CreditNote)
   @ApiOperation({ summary: 'Create a new credit note' })
   @ApiResponse({ status: 201, description: 'Credit note successfully created' })
   @ApiResponse({ status: 400, description: 'Invalid input data' })
@@ -52,6 +60,7 @@ export class CreditNotesController {
   }
 
   @Get('state')
+  @RequirePermission(CreditNoteAction.View, AbilitySubject.CreditNote)
   @ApiOperation({ summary: 'Get credit note state' })
   @ApiResponse({ status: 200, description: 'Returns the credit note state' })
   getCreditNoteState() {
@@ -59,6 +68,7 @@ export class CreditNotesController {
   }
 
   @Get(':id')
+  @RequirePermission(CreditNoteAction.View, AbilitySubject.CreditNote)
   @ApiOperation({ summary: 'Get a specific credit note by ID' })
   @ApiParam({ name: 'id', description: 'Credit note ID', type: 'number' })
   @ApiResponse({
@@ -92,6 +102,7 @@ export class CreditNotesController {
   }
 
   @Get()
+  @RequirePermission(CreditNoteAction.View, AbilitySubject.CreditNote)
   @ApiOperation({ summary: 'Get all credit notes' })
   @ApiResponse({
     status: 200,
@@ -115,6 +126,7 @@ export class CreditNotesController {
   }
 
   @Put(':id')
+  @RequirePermission(CreditNoteAction.Edit, AbilitySubject.CreditNote)
   @ApiOperation({ summary: 'Update a credit note' })
   @ApiParam({ name: 'id', description: 'Credit note ID', type: 'number' })
   @ApiResponse({ status: 200, description: 'Credit note successfully updated' })
@@ -131,6 +143,7 @@ export class CreditNotesController {
   }
 
   @Put(':id/open')
+  @RequirePermission(CreditNoteAction.Edit, AbilitySubject.CreditNote)
   @ApiOperation({ summary: 'Open a credit note' })
   @ApiParam({ name: 'id', description: 'Credit note ID', type: 'number' })
   @ApiResponse({ status: 200, description: 'Credit note successfully opened' })
@@ -140,6 +153,7 @@ export class CreditNotesController {
   }
 
   @Post('validate-bulk-delete')
+  @RequirePermission(CreditNoteAction.Delete, AbilitySubject.CreditNote)
   @ApiOperation({
     summary:
       'Validates which credit notes can be deleted and returns the results.',
@@ -161,6 +175,7 @@ export class CreditNotesController {
   }
 
   @Post('bulk-delete')
+  @RequirePermission(CreditNoteAction.Delete, AbilitySubject.CreditNote)
   @ApiOperation({ summary: 'Deletes multiple credit notes.' })
   @ApiResponse({
     status: 200,
@@ -173,6 +188,7 @@ export class CreditNotesController {
   }
 
   @Delete(':id')
+  @RequirePermission(CreditNoteAction.Delete, AbilitySubject.CreditNote)
   @ApiOperation({ summary: 'Delete a credit note' })
   @ApiParam({ name: 'id', description: 'Credit note ID', type: 'number' })
   @ApiResponse({ status: 200, description: 'Credit note successfully deleted' })

packages/server/src/modules/CreditNotesApplyInvoice/CreditNotesApplyInvoice.controller.ts

@@ -1,15 +1,31 @@
-import { Body, Controller, Get, Param, Post } from '@nestjs/common';
+import {
+  Body,
+  Controller,
+  Get,
+  Param,
+  Post,
+  UseGuards,
+} from '@nestjs/common';
 import { ApiOperation, ApiResponse, ApiTags } from '@nestjs/swagger';
 import { GetCreditNoteAssociatedAppliedInvoices } from './queries/GetCreditNoteAssociatedAppliedInvoices.service';
+import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { CreditNoteAction } from '../CreditNotes/types/CreditNotes.types';
 
 @Controller('credit-notes')
 @ApiTags('Credit Notes Apply Invoice')
+@ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class CreditNotesApplyInvoiceController {
   constructor(
     private readonly getCreditNoteAssociatedAppliedInvoicesService: GetCreditNoteAssociatedAppliedInvoices,
   ) {}
 
   @Get(':creditNoteId/applied-invoices')
+  @RequirePermission(CreditNoteAction.View, AbilitySubject.CreditNote)
   @ApiOperation({ summary: 'Applied credit note to invoices' })
   @ApiResponse({
     status: 200,
@@ -24,6 +40,7 @@ export class CreditNotesApplyInvoiceController {
   }
 
   @Post(':creditNoteId/apply-invoices')
+  @RequirePermission(CreditNoteAction.Edit, AbilitySubject.CreditNote)
   @ApiOperation({ summary: 'Apply credit note to invoices' })
   @ApiResponse({
     status: 200,

packages/server/src/modules/Customers/Customers.controller.ts

@@ -7,6 +7,7 @@ import {
   Post,
   Put,
   Query,
+  UseGuards,
 } from '@nestjs/common';
 import { CustomersApplication } from './CustomersApplication.service';
 import { CustomerOpeningBalanceEditDto } from './dtos/CustomerOpeningBalanceEdit.dto';
@@ -26,15 +27,22 @@ import {
   ValidateBulkDeleteCustomersResponseDto,
 } from './dtos/BulkDeleteCustomers.dto';
 import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { CustomerAction } from './types/Customers.types';
 
 @Controller('customers')
 @ApiTags('Customers')
 @ApiExtraModels(CustomerResponseDto)
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class CustomersController {
   constructor(private customersApplication: CustomersApplication) { }
 
   @Get(':id')
+  @RequirePermission(CustomerAction.View, AbilitySubject.Customer)
   @ApiOperation({ summary: 'Retrieves the customer details.' })
   @ApiResponse({
     status: 200,
@@ -46,6 +54,7 @@ export class CustomersController {
   }
 
   @Get()
+  @RequirePermission(CustomerAction.View, AbilitySubject.Customer)
   @ApiOperation({ summary: 'Retrieves the customers paginated list.' })
   @ApiResponse({
     status: 200,
@@ -60,6 +69,7 @@ export class CustomersController {
   }
 
   @Post()
+  @RequirePermission(CustomerAction.Create, AbilitySubject.Customer)
   @ApiOperation({ summary: 'Create a new customer.' })
   @ApiResponse({
     status: 201,
@@ -71,6 +81,7 @@ export class CustomersController {
   }
 
   @Put(':id')
+  @RequirePermission(CustomerAction.Edit, AbilitySubject.Customer)
   @ApiOperation({ summary: 'Edit the given customer.' })
   @ApiResponse({
     status: 200,
@@ -85,6 +96,7 @@ export class CustomersController {
   }
 
   @Delete(':id')
+  @RequirePermission(CustomerAction.Delete, AbilitySubject.Customer)
   @ApiOperation({ summary: 'Delete the given customer.' })
   @ApiResponse({
     status: 200,
@@ -95,6 +107,7 @@ export class CustomersController {
   }
 
   @Put(':id/opening-balance')
+  @RequirePermission(CustomerAction.Edit, AbilitySubject.Customer)
   @ApiOperation({ summary: 'Edit the opening balance of the given customer.' })
   @ApiResponse({
     status: 200,
@@ -112,6 +125,7 @@ export class CustomersController {
   }
 
   @Post('validate-bulk-delete')
+  @RequirePermission(CustomerAction.Delete, AbilitySubject.Customer)
   @ApiOperation({
     summary:
       'Validates which customers can be deleted and returns counts of deletable and non-deletable customers.',
@@ -131,6 +145,7 @@ export class CustomersController {
   }
 
   @Post('bulk-delete')
+  @RequirePermission(CustomerAction.Delete, AbilitySubject.Customer)
   @ApiOperation({ summary: 'Deletes multiple customers in bulk.' })
   @ApiResponse({
     status: 200,

packages/server/src/modules/Expenses/Expenses.controller.ts

@@ -7,6 +7,7 @@ import {
   Post,
   Put,
   Query,
+  UseGuards,
 } from '@nestjs/common';
 import { ExpensesApplication } from './ExpensesApplication.service';
 import { IExpensesFilter } from './Expenses.types';
@@ -25,6 +26,11 @@ import {
   BulkDeleteDto,
   ValidateBulkDeleteResponseDto,
 } from '@/common/dtos/BulkDelete.dto';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { ExpenseAction } from './Expenses.types';
 
 @Controller('expenses')
 @ApiTags('Expenses')
@@ -34,10 +40,12 @@ import {
   ValidateBulkDeleteResponseDto,
 )
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class ExpensesController {
   constructor(private readonly expensesApplication: ExpensesApplication) { }
 
   @Post('validate-bulk-delete')
+  @RequirePermission(ExpenseAction.Delete, AbilitySubject.Expense)
   @ApiOperation({
     summary: 'Validate which expenses can be deleted and return the results.',
   })
@@ -58,6 +66,7 @@ export class ExpensesController {
   }
 
   @Post('bulk-delete')
+  @RequirePermission(ExpenseAction.Delete, AbilitySubject.Expense)
   @ApiOperation({ summary: 'Deletes multiple expenses.' })
   @ApiResponse({
     status: 200,
@@ -76,6 +85,7 @@ export class ExpensesController {
    * @param {IExpenseCreateDTO} expenseDTO
    */
   @Post()
+  @RequirePermission(ExpenseAction.Create, AbilitySubject.Expense)
   @ApiOperation({ summary: 'Create a new expense transaction.' })
   public createExpense(@Body() expenseDTO: CreateExpenseDto) {
     return this.expensesApplication.createExpense(expenseDTO);
@@ -87,6 +97,7 @@ export class ExpensesController {
    * @param {IExpenseEditDTO} expenseDTO
    */
   @Put(':id')
+  @RequirePermission(ExpenseAction.Edit, AbilitySubject.Expense)
   @ApiOperation({ summary: 'Edit the given expense transaction.' })
   public editExpense(
     @Param('id') expenseId: number,
@@ -100,6 +111,7 @@ export class ExpensesController {
    * @param {number} expenseId
    */
   @Delete(':id')
+  @RequirePermission(ExpenseAction.Delete, AbilitySubject.Expense)
   @ApiOperation({ summary: 'Delete the given expense transaction.' })
   public deleteExpense(@Param('id') expenseId: number) {
     return this.expensesApplication.deleteExpense(expenseId);
@@ -110,6 +122,7 @@ export class ExpensesController {
    * @param {number} expenseId
    */
   @Post(':id/publish')
+  @RequirePermission(ExpenseAction.Edit, AbilitySubject.Expense)
   @ApiOperation({ summary: 'Publish the given expense transaction.' })
   public publishExpense(@Param('id') expenseId: number) {
     return this.expensesApplication.publishExpense(expenseId);
@@ -119,6 +132,7 @@ export class ExpensesController {
    * Get the expense transaction details.
    */
   @Get()
+  @RequirePermission(ExpenseAction.View, AbilitySubject.Expense)
   @ApiOperation({ summary: 'Get the expense transactions.' })
   @ApiResponse({
     status: 200,
@@ -146,6 +160,7 @@ export class ExpensesController {
    * @param {number} expenseId
    */
   @Get(':id')
+  @RequirePermission(ExpenseAction.View, AbilitySubject.Expense)
   @ApiOperation({ summary: 'Get the expense transaction details.' })
   @ApiResponse({
     status: 200,

packages/server/src/modules/FinancialStatements/modules/APAgingSummary/APAgingSummary.controller.ts

@@ -1,5 +1,5 @@
 import { Response } from 'express';
-import { Controller, Get, Headers, Query, Res } from '@nestjs/common';
+import { Controller, Get, Headers, Query, Res, UseGuards } from '@nestjs/common';
 import { APAgingSummaryApplication } from './APAgingSummaryApplication';
 import { AcceptType } from '@/constants/accept-type';
 import {
@@ -11,14 +11,21 @@ import {
 import { APAgingSummaryQueryDto } from './APAgingSummaryQuery.dto';
 import { APAgingSummaryResponseExample } from './APAgingSummary.swagger';
 import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { ReportsAction } from '../../types/Report.types';
 
 @Controller('reports/payable-aging-summary')
 @ApiTags('Reports')
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class APAgingSummaryController {
   constructor(private readonly APAgingSummaryApp: APAgingSummaryApplication) { }
 
   @Get()
+  @RequirePermission(ReportsAction.READ_AP_AGING_SUMMARY, AbilitySubject.Report)
   @ApiOperation({ summary: 'Get payable aging summary' })
   @ApiResponse({
     status: 200,

packages/server/src/modules/FinancialStatements/modules/ARAgingSummary/ARAgingSummary.controller.ts

@@ -1,5 +1,4 @@
-import { Controller, Get, Headers } from '@nestjs/common';
-import { Query, Res } from '@nestjs/common';
+import { Controller, Get, Headers, Query, Res, UseGuards } from '@nestjs/common';
 import { ARAgingSummaryApplication } from './ARAgingSummaryApplication';
 import { AcceptType } from '@/constants/accept-type';
 import { Response } from 'express';
@@ -12,14 +11,21 @@ import {
 import { ARAgingSummaryQueryDto } from './ARAgingSummaryQuery.dto';
 import { ARAgingSummaryResponseExample } from './ARAgingSummary.swagger';
 import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { ReportsAction } from '../../types/Report.types';
 
 @Controller('reports/receivable-aging-summary')
 @ApiTags('Reports')
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class ARAgingSummaryController {
   constructor(private readonly ARAgingSummaryApp: ARAgingSummaryApplication) {}
 
   @Get()
+  @RequirePermission(ReportsAction.READ_AR_AGING_SUMMARY, AbilitySubject.Report)
   @ApiOperation({ summary: 'Get receivable aging summary' })
   @ApiResponse({
     status: 200,

packages/server/src/modules/FinancialStatements/modules/BalanceSheet/BalanceSheet.controller.ts

@@ -1,5 +1,5 @@
 import { Response } from 'express';
-import { Controller, Get, Headers, Query, Res } from '@nestjs/common';
+import { Controller, Get, Headers, Query, Res, UseGuards } from '@nestjs/common';
 import { AcceptType } from '@/constants/accept-type';
 import { BalanceSheetApplication } from './BalanceSheetApplication';
 import {
@@ -11,10 +11,16 @@ import {
 import { BalanceSheetQueryDto } from './BalanceSheet.dto';
 import { BalanceSheetResponseExample } from './BalanceSheet.swagger';
 import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { ReportsAction } from '../../types/Report.types';
 
 @Controller('/reports/balance-sheet')
 @ApiTags('Reports')
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class BalanceSheetStatementController {
   constructor(private readonly balanceSheetApp: BalanceSheetApplication) {}
 
@@ -25,6 +31,7 @@ export class BalanceSheetStatementController {
    * @param {string} acceptHeader - Accept header.
    */
   @Get('')
+  @RequirePermission(ReportsAction.READ_BALANCE_SHEET, AbilitySubject.Report)
   @ApiOperation({ summary: 'Get balance sheet statement' })
   @ApiResponse({
     status: 200,

packages/server/src/modules/FinancialStatements/modules/BalanceSheet/BalanceSheet.dto.ts

@@ -24,14 +24,14 @@ export class BalanceSheetQueryDto extends FinancialSheetBranchesQueryDto {
   displayColumnsType: 'total' | 'date_periods' = 'total';
 
   @ApiProperty({
-    enum: ['day', 'month', 'year'],
+    enum: ['day', 'month', 'year', 'quarter'],
     default: 'year',
     description: 'Time period for column display',
   })
   @IsString()
   @IsOptional()
-  @IsEnum(['day', 'month', 'year'])
-  displayColumnsBy: 'day' | 'month' | 'year' = 'year';
+  @IsEnum(['day', 'month', 'year', 'quarter'])
+  displayColumnsBy: 'day' | 'month' | 'year' | 'quarter' = 'year';
 
   @ApiProperty({
     description: 'Start date for the balance sheet period',

packages/server/src/modules/FinancialStatements/modules/CashFlowStatement/CashFlowStatementQuery.dto.ts

@@ -34,13 +34,13 @@ export class CashFlowStatementQueryDto extends FinancialSheetBranchesQueryDto {
   @ApiProperty({
     description: 'Display columns by time period',
     required: false,
-    enum: ['day', 'month', 'year'],
+    enum: ['day', 'month', 'year', 'quarter'],
     default: 'year',
   })
   @IsString()
   @IsOptional()
-  @IsEnum(['day', 'month', 'year'])
-  displayColumnsBy: 'day' | 'month' | 'year' = 'year';
+  @IsEnum(['day', 'month', 'year', 'quarter'])
+  displayColumnsBy: 'day' | 'month' | 'year' | 'quarter' = 'year';
 
   @ApiProperty({
     description: 'Type of column display',

packages/server/src/modules/FinancialStatements/modules/CashFlowStatement/Cashflow.controller.ts

@@ -1,5 +1,5 @@
 import { Response } from 'express';
-import { Controller, Get, Headers, Query, Res } from '@nestjs/common';
+import { Controller, Get, Headers, Query, Res, UseGuards } from '@nestjs/common';
 import { AcceptType } from '@/constants/accept-type';
 import { CashflowSheetApplication } from './CashflowSheetApplication';
 import {
@@ -11,14 +11,21 @@ import {
 import { CashFlowStatementQueryDto } from './CashFlowStatementQuery.dto';
 import { CashflowStatementResponseExample } from './CashflowStatement.swagger';
 import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { ReportsAction } from '../../types/Report.types';
 
 @Controller('reports/cashflow-statement')
 @ApiTags('Reports')
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class CashflowController {
   constructor(private readonly cashflowSheetApp: CashflowSheetApplication) { }
 
   @Get()
+  @RequirePermission(ReportsAction.READ_CASHFLOW, AbilitySubject.Report)
   @ApiResponse({
     status: 200,
     description: 'Cashflow statement report',

packages/server/src/modules/FinancialStatements/modules/GeneralLedger/GeneralLedger.controller.ts

@@ -5,22 +5,29 @@ import {
   ApiTags,
 } from '@nestjs/swagger';
 import { Response } from 'express';
-import { Controller, Get, Headers, Query, Res } from '@nestjs/common';
+import { Controller, Get, Headers, Query, Res, UseGuards } from '@nestjs/common';
 import { GeneralLedgerApplication } from './GeneralLedgerApplication';
 import { AcceptType } from '@/constants/accept-type';
 import { GeneralLedgerQueryDto } from './GeneralLedgerQuery.dto';
 import { GeneralLedgerResponseExample } from './GeneralLedger.swagger';
 import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { ReportsAction } from '../../types/Report.types';
 
 @Controller('/reports/general-ledger')
 @ApiTags('Reports')
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class GeneralLedgerController {
   constructor(
     private readonly generalLedgerApplication: GeneralLedgerApplication,
   ) {}
 
   @Get()
+  @RequirePermission(ReportsAction.READ_GENERAL_LEDGET, AbilitySubject.Report)
   @ApiResponse({
     status: 200,
     description: 'General ledger report',

packages/server/src/modules/FinancialStatements/modules/JournalSheet/JournalSheet.controller.ts

@@ -1,4 +1,4 @@
-import { Controller, Get, Headers, Query, Res } from '@nestjs/common';
+import { Controller, Get, Headers, Query, Res, UseGuards } from '@nestjs/common';
 import { Response } from 'express';
 import { AcceptType } from '@/constants/accept-type';
 import { JournalSheetApplication } from './JournalSheetApplication';
@@ -11,14 +11,21 @@ import {
 import { JournalSheetQueryDto } from './JournalSheetQuery.dto';
 import { JournalSheetResponseExample } from './JournalSheet.swagger';
 import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { ReportsAction } from '../../types/Report.types';
 
 @Controller('/reports/journal')
 @ApiTags('Reports')
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class JournalSheetController {
   constructor(private readonly journalSheetApp: JournalSheetApplication) {}
 
   @Get()
+  @RequirePermission(ReportsAction.READ_JOURNAL, AbilitySubject.Report)
   @ApiResponse({
     status: 200,
     description: 'Journal report',

packages/server/src/modules/FinancialStatements/modules/ProfitLossSheet/ProfitLossSheet.controller.ts

@@ -1,5 +1,5 @@
 import { Response } from 'express';
-import { Controller, Get, Headers, Query, Res } from '@nestjs/common';
+import { Controller, Get, Headers, Query, Res, UseGuards } from '@nestjs/common';
 import { ProfitLossSheetApplication } from './ProfitLossSheetApplication';
 import { AcceptType } from '@/constants/accept-type';
 import {
@@ -11,10 +11,16 @@ import {
 import { ProfitLossSheetQueryDto } from './ProfitLossSheetQuery.dto';
 import { ProfitLossSheetResponseExample } from './ProfitLossSheet.swagger';
 import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { ReportsAction } from '../../types/Report.types';
 
 @Controller('/reports/profit-loss-sheet')
 @ApiTags('Reports')
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class ProfitLossSheetController {
   constructor(
     private readonly profitLossSheetApp: ProfitLossSheetApplication,
@@ -27,6 +33,7 @@ export class ProfitLossSheetController {
    * @param {string} acceptHeader
    */
   @Get('/')
+  @RequirePermission(ReportsAction.READ_PROFIT_LOSS, AbilitySubject.Report)
   @ApiResponse({
     status: 200,
     description: 'Profit & loss statement',

packages/server/src/modules/FinancialStatements/modules/ProfitLossSheet/ProfitLossSheetQuery.dto.ts

@@ -64,10 +64,10 @@ export class ProfitLossSheetQueryDto extends FinancialSheetBranchesQueryDto {
   displayColumnsType: 'total' | 'date_periods';
 
   @IsString()
-  @IsEnum(['day', 'month', 'year'])
+  @IsEnum(['day', 'month', 'year', 'quarter'])
   @IsOptional()
   @ApiProperty({ description: 'How to display columns' })
-  displayColumnsBy: 'day' | 'month' | 'year' = 'year';
+  displayColumnsBy: 'day' | 'month' | 'year' | 'quarter' = 'year';
 
   @Transform(({ value }) => parseBoolean(value, false))
   @IsBoolean()

packages/server/src/modules/FinancialStatements/modules/TrialBalanceSheet/TrialBalanceSheet.ts

@@ -172,8 +172,11 @@ export class TrialBalanceSheet extends FinancialSheet {
   private filterNoneTransactions = (
     accountNode: ITrialBalanceAccount
   ): boolean => {
-    const accountLedger = this.repository.totalAccountsLedger.whereAccountId(
-      accountNode.id,
+    const depsAccountsIds =
+      this.repository.accountsDepGraph.dependenciesOf(accountNode.id);
+
+    const accountLedger = this.repository.totalAccountsLedger.whereAccountsIds(
+      [accountNode.id, ...depsAccountsIds]
     );
     return !accountLedger.isEmpty();
   };
@@ -241,8 +244,8 @@ export class TrialBalanceSheet extends FinancialSheet {
    */
   private accountsSection(accounts: ModelObject<Account>[]) {
     return R.compose(
-      this.nestedAccountsNode,
       this.accountsFilter,
+      this.nestedAccountsNode,
       this.accountsMapper
     )(accounts);
   }
@@ -250,7 +253,6 @@ export class TrialBalanceSheet extends FinancialSheet {
   /**
    * Retrieve trial balance sheet statement data.
    * Note: Retruns null in case there is no transactions between the given date periods.
-   *
    * @return {ITrialBalanceSheetData}
    */
   public reportData(): ITrialBalanceSheetData {

packages/server/src/modules/InventoryAdjutments/InventoryAdjustments.controller.ts

@@ -14,6 +14,7 @@ import {
   Post,
   Put,
   Query,
+  UseGuards,
 } from '@nestjs/common';
 import { InventoryAdjustmentsApplicationService } from './InventoryAdjustmentsApplication.service';
 import { IInventoryAdjustmentsFilter } from './types/InventoryAdjustments.types';
@@ -21,17 +22,24 @@ import { InventoryAdjustment } from './models/InventoryAdjustment';
 import { CreateQuickInventoryAdjustmentDto } from './dtos/CreateQuickInventoryAdjustment.dto';
 import { InventoryAdjustmentResponseDto } from './dtos/InventoryAdjustmentResponse.dto';
 import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { InventoryAdjustmentAction } from './types/InventoryAdjustments.types';
 
 @Controller('inventory-adjustments')
 @ApiTags('Inventory Adjustments')
 @ApiExtraModels(InventoryAdjustmentResponseDto)
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class InventoryAdjustmentsController {
   constructor(
     private readonly inventoryAdjustmentsApplicationService: InventoryAdjustmentsApplicationService,
   ) {}
 
   @Post('quick')
+  @RequirePermission(InventoryAdjustmentAction.CREATE, AbilitySubject.InventoryAdjustment)
   @ApiOperation({ summary: 'Create a quick inventory adjustment.' })
   @ApiResponse({
     status: 200,
@@ -46,6 +54,7 @@ export class InventoryAdjustmentsController {
   }
 
   @Delete(':id')
+  @RequirePermission(InventoryAdjustmentAction.DELETE, AbilitySubject.InventoryAdjustment)
   @ApiOperation({ summary: 'Delete the given inventory adjustment.' })
   @ApiResponse({
     status: 200,
@@ -60,6 +69,7 @@ export class InventoryAdjustmentsController {
   }
 
   @Get()
+  @RequirePermission(InventoryAdjustmentAction.VIEW, AbilitySubject.InventoryAdjustment)
   @ApiOperation({ summary: 'Retrieves the inventory adjustments.' })
   @ApiResponse({
     status: 200,
@@ -78,6 +88,7 @@ export class InventoryAdjustmentsController {
   }
 
   @Get(':id')
+  @RequirePermission(InventoryAdjustmentAction.VIEW, AbilitySubject.InventoryAdjustment)
   @ApiOperation({ summary: 'Retrieves the inventory adjustment details.' })
   @ApiResponse({
     status: 200,
@@ -94,6 +105,7 @@ export class InventoryAdjustmentsController {
   }
 
   @Put(':id/publish')
+  @RequirePermission(InventoryAdjustmentAction.EDIT, AbilitySubject.InventoryAdjustment)
   @ApiOperation({ summary: 'Publish the given inventory adjustment.' })
   @ApiResponse({
     status: 200,

packages/server/src/modules/InventoryCost/InventoryCost.module.ts

@@ -16,6 +16,8 @@ import {
   ComputeItemCostQueue,
   WriteInventoryTransactionsGLEntriesQueue,
 } from './types/InventoryCost.types';
+import { BullBoardModule } from '@bull-board/nestjs';
+import { BullMQAdapter } from '@bull-board/api/bullMQAdapter';
 import { BullModule } from '@nestjs/bullmq';
 import { InventoryAverageCostMethodService } from './commands/InventoryAverageCostMethod.service';
 import { InventoryItemCostService } from './commands/InventoryCosts.service';
@@ -39,6 +41,14 @@ const models = [
     BullModule.registerQueue({
       name: WriteInventoryTransactionsGLEntriesQueue,
     }),
+    BullBoardModule.forFeature({
+      name: ComputeItemCostQueue,
+      adapter: BullMQAdapter,
+    }),
+    BullBoardModule.forFeature({
+      name: WriteInventoryTransactionsGLEntriesQueue,
+      adapter: BullMQAdapter,
+    }),
     forwardRef(() => SaleInvoicesModule),
     ImportModule,
   ],
@@ -56,7 +66,7 @@ const models = [
     InventoryItemCostService,
     InventoryItemOpeningAvgCostService,
     InventoryCostSubscriber,
-    GetItemsInventoryValuationListService
+    GetItemsInventoryValuationListService,
   ],
   exports: [
     ...models,
@@ -64,6 +74,6 @@ const models = [
     InventoryItemCostService,
     InventoryComputeCostService,
   ],
-  controllers: [InventoryCostController]
+  controllers: [InventoryCostController],
 })
 export class InventoryCostModule {}

packages/server/src/modules/InventoryCost/processors/ComputeItemCost.processor.ts

@@ -7,11 +7,7 @@ import * as moment from 'moment';
 import { TenantJobPayload } from '@/interfaces/Tenant';
 import { InventoryComputeCostService } from '../commands/InventoryComputeCost.service';
 import { events } from '@/common/events/events';
-import {
-  ComputeItemCostQueue,
-  ComputeItemCostQueueJob,
-} from '../types/InventoryCost.types';
-import { Process } from '@nestjs/bull';
+import { ComputeItemCostQueue } from '../types/InventoryCost.types';
 
 interface ComputeItemCostJobPayload extends TenantJobPayload {
   itemId: number;
@@ -39,7 +35,6 @@ export class ComputeItemCostProcessor extends WorkerHost {
    * Process the compute item cost job.
    * @param {Job<ComputeItemCostJobPayload>} job - The job to process
    */
-  @Process(ComputeItemCostQueueJob)
   @UseCls()
   async process(job: Job<ComputeItemCostJobPayload>) {
     const { itemId, startingDate, organizationId, userId } = job.data;

packages/server/src/modules/InventoryCost/processors/WriteInventoryTransactionsGLEntries.processor.ts

@@ -1,8 +1,4 @@
-import { Process } from '@nestjs/bull';
-import {
-  WriteInventoryTransactionsGLEntriesQueue,
-  WriteInventoryTransactionsGLEntriesQueueJob,
-} from '../types/InventoryCost.types';
+import { WriteInventoryTransactionsGLEntriesQueue } from '../types/InventoryCost.types';
 import { Processor, WorkerHost } from '@nestjs/bullmq';
 import { Scope } from '@nestjs/common';
 
@@ -15,6 +11,5 @@ export class WriteInventoryTransactionsGLEntriesProcessor extends WorkerHost {
     super();
   }
 
-  @Process(WriteInventoryTransactionsGLEntriesQueueJob)
   async process() {}
 }

packages/server/src/modules/Items/Item.controller.ts

@@ -9,6 +9,7 @@ import {
   Put,
   Query,
   HttpCode,
+  UseGuards,
 } from '@nestjs/common';
 import { TenantController } from '../Tenancy/Tenant.controller';
 import { ItemsApplicationService } from './ItemsApplication.service';
@@ -34,6 +35,12 @@ import {
   BulkDeleteItemsDto,
   ValidateBulkDeleteItemsResponseDto,
 } from './dtos/BulkDeleteItems.dto';
+import { ItemApiErrorResponseDto } from './dtos/ItemErrorResponse.dto';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { ItemAction } from '@/interfaces/Item';
 
 @Controller('/items')
 @ApiTags('Items')
@@ -45,13 +52,16 @@ import {
 @ApiExtraModels(ItemEstimatesResponseDto)
 @ApiExtraModels(ItemReceiptsResponseDto)
 @ApiExtraModels(ValidateBulkDeleteItemsResponseDto)
+@ApiExtraModels(ItemApiErrorResponseDto)
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class ItemsController extends TenantController {
   constructor(private readonly itemsApplication: ItemsApplicationService) {
     super();
   }
 
   @Get()
+  @RequirePermission(ItemAction.VIEW, AbilitySubject.Item)
   @ApiOperation({ summary: 'Retrieves the item list.' })
   @ApiResponse({
     status: 200,
@@ -142,11 +152,19 @@ export class ItemsController extends TenantController {
    * @returns The updated item id.
    */
   @Put(':id')
+  @RequirePermission(ItemAction.EDIT, AbilitySubject.Item)
   @ApiOperation({ summary: 'Edit the given item (product or service).' })
   @ApiResponse({
     status: 200,
     description: 'The item has been successfully updated.',
   })
+  @ApiResponse({
+    status: 400,
+    description: 'Validation error. Possible error types: ITEM_NAME_EXISTS, INVENTORY_ACCOUNT_CANNOT_MODIFIED, TYPE_CANNOT_CHANGE_WITH_ITEM_HAS_TRANSACTIONS, etc.',
+    schema: {
+      $ref: getSchemaPath(ItemApiErrorResponseDto),
+    },
+  })
   @ApiResponse({ status: 404, description: 'The item not found.' })
   @ApiParam({
     name: 'id',
@@ -165,6 +183,7 @@ export class ItemsController extends TenantController {
 
   @Post('validate-bulk-delete')
   @HttpCode(200)
+  @RequirePermission(ItemAction.DELETE, AbilitySubject.Item)
   @ApiOperation({
     summary:
       'Validates which items can be deleted and returns counts of deletable and non-deletable items.',
@@ -185,6 +204,7 @@ export class ItemsController extends TenantController {
 
   @Post('bulk-delete')
   @HttpCode(200)
+  @RequirePermission(ItemAction.DELETE, AbilitySubject.Item)
   @ApiOperation({ summary: 'Deletes multiple items in bulk.' })
   @ApiResponse({
     status: 200,
@@ -199,11 +219,19 @@ export class ItemsController extends TenantController {
   }
 
   @Post()
+  @RequirePermission(ItemAction.CREATE, AbilitySubject.Item)
   @ApiOperation({ summary: 'Create a new item (product or service).' })
   @ApiResponse({
     status: 200,
     description: 'The item has been successfully created.',
   })
+  @ApiResponse({
+    status: 400,
+    description: 'Validation error. Possible error types: ITEM_NAME_EXISTS, ITEM_CATEOGRY_NOT_FOUND, COST_ACCOUNT_NOT_COGS, SELL_ACCOUNT_NOT_INCOME, INVENTORY_ACCOUNT_NOT_INVENTORY, INCOME_ACCOUNT_REQUIRED_WITH_SELLABLE_ITEM, COST_ACCOUNT_REQUIRED_WITH_PURCHASABLE_ITEM, etc.',
+    schema: {
+      $ref: getSchemaPath(ItemApiErrorResponseDto),
+    },
+  })
   // @UsePipes(new ZodValidationPipe(createItemSchema))
   async createItem(
     @Body() createItemDto: CreateItemDto,
@@ -214,11 +242,19 @@ export class ItemsController extends TenantController {
   }
 
   @Delete(':id')
+  @RequirePermission(ItemAction.DELETE, AbilitySubject.Item)
   @ApiOperation({ summary: 'Delete the given item (product or service).' })
   @ApiResponse({
     status: 200,
     description: 'The item has been successfully deleted.',
   })
+  @ApiResponse({
+    status: 400,
+    description: 'Cannot delete item. Possible error types: ITEM_HAS_ASSOCIATED_TRANSACTINS, ITEM_HAS_ASSOCIATED_INVENTORY_ADJUSTMENT, etc.',
+    schema: {
+      $ref: getSchemaPath(ItemApiErrorResponseDto),
+    },
+  })
   @ApiResponse({ status: 404, description: 'The item not found.' })
   @ApiParam({
     name: 'id',
@@ -232,6 +268,7 @@ export class ItemsController extends TenantController {
   }
 
   @Patch(':id/inactivate')
+  @RequirePermission(ItemAction.EDIT, AbilitySubject.Item)
   @ApiOperation({ summary: 'Inactivate the given item (product or service).' })
   @ApiResponse({
     status: 200,
@@ -250,6 +287,7 @@ export class ItemsController extends TenantController {
   }
 
   @Patch(':id/activate')
+  @RequirePermission(ItemAction.EDIT, AbilitySubject.Item)
   @ApiOperation({ summary: 'Activate the given item (product or service).' })
   @ApiResponse({
     status: 200,
@@ -268,6 +306,7 @@ export class ItemsController extends TenantController {
   }
 
   @Get(':id')
+  @RequirePermission(ItemAction.VIEW, AbilitySubject.Item)
   @ApiOperation({ summary: 'Get the given item (product or service).' })
   @ApiResponse({
     status: 200,
@@ -289,6 +328,7 @@ export class ItemsController extends TenantController {
   }
 
   @Get(':id/invoices')
+  @RequirePermission(ItemAction.VIEW, AbilitySubject.Item)
   @ApiOperation({
     summary: 'Retrieves the item associated invoices transactions.',
   })
@@ -314,6 +354,7 @@ export class ItemsController extends TenantController {
   }
 
   @Get(':id/bills')
+  @RequirePermission(ItemAction.VIEW, AbilitySubject.Item)
   @ApiOperation({
     summary: 'Retrieves the item associated bills transactions.',
   })
@@ -339,6 +380,7 @@ export class ItemsController extends TenantController {
   }
 
   @Get(':id/estimates')
+  @RequirePermission(ItemAction.VIEW, AbilitySubject.Item)
   @ApiOperation({
     summary: 'Retrieves the item associated estimates transactions.',
   })
@@ -364,6 +406,7 @@ export class ItemsController extends TenantController {
   }
 
   @Get(':id/receipts')
+  @RequirePermission(ItemAction.VIEW, AbilitySubject.Item)
   @ApiOperation({
     summary: 'Retrieves the item associated receipts transactions.',
   })

packages/server/src/modules/Items/dtos/ItemErrorResponse.dto.ts

@@ -0,0 +1,112 @@
+import { ApiProperty } from '@nestjs/swagger';
+
+/**
+ * Item API Error Types
+ * These error types are returned when item operations fail validation
+ */
+export enum ItemErrorType {
+  /** Item name already exists in the system */
+  ItemNameExists = 'ITEM_NAME_EXISTS',
+  
+  /** Item category was not found */
+  ItemCategoryNotFound = 'ITEM_CATEOGRY_NOT_FOUND',
+  
+  /** Cost account is not a Cost of Goods Sold account */
+  CostAccountNotCogs = 'COST_ACCOUNT_NOT_COGS',
+  
+  /** Cost account was not found */
+  CostAccountNotFound = 'COST_ACCOUNT_NOT_FOUMD',
+  
+  /** Sell account was not found */
+  SellAccountNotFound = 'SELL_ACCOUNT_NOT_FOUND',
+  
+  /** Sell account is not an income account */
+  SellAccountNotIncome = 'SELL_ACCOUNT_NOT_INCOME',
+  
+  /** Inventory account was not found */
+  InventoryAccountNotFound = 'INVENTORY_ACCOUNT_NOT_FOUND',
+  
+  /** Account is not an inventory type account */
+  InventoryAccountNotInventory = 'INVENTORY_ACCOUNT_NOT_INVENTORY',
+  
+  /** Multiple items have associated transactions */
+  ItemsHaveAssociatedTransactions = 'ITEMS_HAVE_ASSOCIATED_TRANSACTIONS',
+  
+  /** Item has associated transactions (singular) */
+  ItemHasAssociatedTransactions = 'ITEM_HAS_ASSOCIATED_TRANSACTINS',
+  
+  /** Item has associated inventory adjustments */
+  ItemHasAssociatedInventoryAdjustment = 'ITEM_HAS_ASSOCIATED_INVENTORY_ADJUSTMENT',
+  
+  /** Cannot change item type to inventory */
+  ItemCannotChangeInventoryType = 'ITEM_CANNOT_CHANGE_INVENTORY_TYPE',
+  
+  /** Cannot change type when item has transactions */
+  TypeCannotChangeWithItemHasTransactions = 'TYPE_CANNOT_CHANGE_WITH_ITEM_HAS_TRANSACTIONS',
+  
+  /** Inventory account cannot be modified */
+  InventoryAccountCannotModified = 'INVENTORY_ACCOUNT_CANNOT_MODIFIED',
+  
+  /** Purchase tax rate was not found */
+  PurchaseTaxRateNotFound = 'PURCHASE_TAX_RATE_NOT_FOUND',
+  
+  /** Sell tax rate was not found */
+  SellTaxRateNotFound = 'SELL_TAX_RATE_NOT_FOUND',
+  
+  /** Income account is required for sellable items */
+  IncomeAccountRequiredWithSellableItem = 'INCOME_ACCOUNT_REQUIRED_WITH_SELLABLE_ITEM',
+  
+  /** Cost account is required for purchasable items */
+  CostAccountRequiredWithPurchasableItem = 'COST_ACCOUNT_REQUIRED_WITH_PURCHASABLE_ITEM',
+  
+  /** Item not found */
+  NotFound = 'NOT_FOUND',
+  
+  /** Items not found */
+  ItemsNotFound = 'ITEMS_NOT_FOUND',
+}
+
+/**
+ * Item API Error Response
+ * Returned when an item operation fails
+ */
+export class ItemErrorResponseDto {
+  @ApiProperty({
+    description: 'HTTP status code',
+    example: 400,
+  })
+  statusCode: number;
+
+  @ApiProperty({
+    description: 'Error type identifier',
+    enum: ItemErrorType,
+    example: ItemErrorType.ItemNameExists,
+  })
+  type: ItemErrorType;
+
+  @ApiProperty({
+    description: 'Human-readable error message',
+    example: 'The item name is already exist.',
+    required: false,
+    nullable: true,
+  })
+  message: string | null;
+
+  @ApiProperty({
+    description: 'Additional error payload data',
+    required: false,
+    nullable: true,
+  })
+  payload: any;
+}
+
+/**
+ * Item API Error Response Wrapper
+ */
+export class ItemApiErrorResponseDto {
+  @ApiProperty({
+    description: 'Array of error details',
+    type: [ItemErrorResponseDto],
+  })
+  errors: ItemErrorResponseDto[];
+}

packages/server/src/modules/Items/models/Item.ts

@@ -70,6 +70,16 @@ export class Item extends TenantBaseModel {
     };
   }
 
+  /**
+   * Model search roles.
+   */
+  static get searchRoles() {
+    return [
+      { condition: 'or', fieldKey: 'name', comparator: 'contains' },
+      { condition: 'or', fieldKey: 'code', comparator: 'like' },
+    ];
+  }
+
   /**
    * Relationship mapping.
    */

packages/server/src/modules/ManualJournals/ManualJournals.controller.ts

@@ -8,6 +8,7 @@ import {
   Post,
   Put,
   Query,
+  UseGuards,
 } from '@nestjs/common';
 import { ManualJournalsApplication } from './ManualJournalsApplication.service';
 import {
@@ -29,16 +30,23 @@ import {
   BulkDeleteDto,
   ValidateBulkDeleteResponseDto,
 } from '@/common/dtos/BulkDelete.dto';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { ManualJournalAction } from './types/ManualJournals.types';
 
 @Controller('manual-journals')
 @ApiTags('Manual Journals')
 @ApiExtraModels(ManualJournalResponseDto)
 @ApiExtraModels(ValidateBulkDeleteResponseDto)
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class ManualJournalsController {
   constructor(private manualJournalsApplication: ManualJournalsApplication) { }
 
   @Post('validate-bulk-delete')
+  @RequirePermission(ManualJournalAction.Delete, AbilitySubject.ManualJournal)
   @ApiOperation({
     summary:
       'Validate which manual journals can be deleted and return the results.',
@@ -60,6 +68,7 @@ export class ManualJournalsController {
   }
 
   @Post('bulk-delete')
+  @RequirePermission(ManualJournalAction.Delete, AbilitySubject.ManualJournal)
   @ApiOperation({ summary: 'Deletes multiple manual journals.' })
   @ApiResponse({
     status: 200,
@@ -75,6 +84,7 @@ export class ManualJournalsController {
   }
 
   @Post()
+  @RequirePermission(ManualJournalAction.Create, AbilitySubject.ManualJournal)
   @ApiOperation({ summary: 'Create a new manual journal.' })
   @ApiResponse({
     status: 201,
@@ -86,6 +96,7 @@ export class ManualJournalsController {
   }
 
   @Put(':id')
+  @RequirePermission(ManualJournalAction.Edit, AbilitySubject.ManualJournal)
   @ApiOperation({ summary: 'Edit the given manual journal.' })
   @ApiResponse({
     status: 200,
@@ -110,6 +121,7 @@ export class ManualJournalsController {
   }
 
   @Delete(':id')
+  @RequirePermission(ManualJournalAction.Delete, AbilitySubject.ManualJournal)
   @ApiOperation({ summary: 'Delete the given manual journal.' })
   @ApiResponse({
     status: 200,
@@ -127,6 +139,7 @@ export class ManualJournalsController {
   }
 
   @Patch(':id/publish')
+  @RequirePermission(ManualJournalAction.Edit, AbilitySubject.ManualJournal)
   @ApiOperation({ summary: 'Publish the given manual journal.' })
   @ApiResponse({
     status: 200,
@@ -147,6 +160,7 @@ export class ManualJournalsController {
   }
 
   @Get(':id')
+  @RequirePermission(ManualJournalAction.View, AbilitySubject.ManualJournal)
   @ApiOperation({ summary: 'Retrieves the manual journal details.' })
   @ApiResponse({
     status: 200,
@@ -167,6 +181,7 @@ export class ManualJournalsController {
   }
 
   @Get()
+  @RequirePermission(ManualJournalAction.View, AbilitySubject.ManualJournal)
   @ApiOperation({ summary: 'Retrieves the manual journals paginated list.' })
   @ApiResponse({
     status: 200,

packages/server/src/modules/Organization/Organization.controller.ts

@@ -17,6 +17,7 @@ import {
   HttpCode,
   Param,
 } from '@nestjs/common';
+import { Throttle } from '@nestjs/throttler';
 import { BuildOrganizationService } from './commands/BuildOrganization.service';
 import {
   BuildOrganizationDto,
@@ -50,7 +51,7 @@ export class OrganizationController {
     private readonly updateOrganizationService: UpdateOrganizationService,
     private readonly getBuildOrganizationJobService: GetBuildOrganizationBuildJob,
     private readonly orgBaseCurrencyLockingService: OrganizationBaseCurrencyLocking,
-  ) { }
+  ) {}
 
   @Post('build')
   @HttpCode(200)
@@ -77,6 +78,7 @@ export class OrganizationController {
   }
 
   @Get('build/:buildJobId')
+  @Throttle({ default: { limit: 300, ttl: 60000 } }) // 300 req/min
   @ApiParam({
     name: 'buildJobId',
     required: true,

packages/server/src/modules/Organization/Organization.module.ts

@@ -3,6 +3,8 @@ import { GetCurrentOrganizationService } from './queries/GetCurrentOrganization.
 import { BuildOrganizationService } from './commands/BuildOrganization.service';
 import { UpdateOrganizationService } from './commands/UpdateOrganization.service';
 import { OrganizationController } from './Organization.controller';
+import { BullBoardModule } from '@bull-board/nestjs';
+import { BullMQAdapter } from '@bull-board/api/bullMQAdapter';
 import { BullModule } from '@nestjs/bullmq';
 import { OrganizationBuildQueue } from './Organization.types';
 import { OrganizationBuildProcessor } from './processors/OrganizationBuild.processor';
@@ -25,10 +27,14 @@ import { GetBuildOrganizationBuildJob } from './commands/GetBuildOrganizationJob
     OrganizationBaseCurrencyLocking,
     SyncSystemUserToTenantService,
     SyncSystemUserToTenantSubscriber,
-    GetBuildOrganizationBuildJob
+    GetBuildOrganizationBuildJob,
   ],
   imports: [
     BullModule.registerQueue({ name: OrganizationBuildQueue }),
+    BullBoardModule.forFeature({
+      name: OrganizationBuildQueue,
+      adapter: BullMQAdapter,
+    }),
     TenantDBManagerModule,
   ],
   controllers: [OrganizationController],

packages/server/src/modules/Organization/processors/OrganizationBuild.processor.ts

@@ -2,10 +2,8 @@ import { Processor, WorkerHost } from '@nestjs/bullmq';
 import { Scope } from '@nestjs/common';
 import { Job } from 'bullmq';
 import { ClsService, UseCls } from 'nestjs-cls';
-import { Process } from '@nestjs/bull';
 import {
   OrganizationBuildQueue,
-  OrganizationBuildQueueJob,
   OrganizationBuildQueueJobPayload,
 } from '../Organization.types';
 import { BuildOrganizationService } from '../commands/BuildOrganization.service';
@@ -22,7 +20,6 @@ export class OrganizationBuildProcessor extends WorkerHost {
     super();
   }
 
-  @Process(OrganizationBuildQueueJob)
   @UseCls()
   async process(job: Job<OrganizationBuildQueueJobPayload>) {
     console.log('Processing organization build job:', job.id);

packages/server/src/modules/PaymentReceived/PaymentsReceived.controller.ts

@@ -19,6 +19,7 @@ import {
   Put,
   Query,
   Res,
+  UseGuards,
 } from '@nestjs/common';
 import { PaymentReceivesApplication } from './PaymentReceived.application';
 import {
@@ -38,6 +39,11 @@ import {
   BulkDeleteDto,
   ValidateBulkDeleteResponseDto,
 } from '@/common/dtos/BulkDelete.dto';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { PaymentReceiveAction } from './types/PaymentReceived.types';
 
 @Controller('payments-received')
 @ApiTags('Payments Received')
@@ -46,6 +52,7 @@ import {
 @ApiExtraModels(PaymentReceivedStateResponseDto)
 @ApiExtraModels(ValidateBulkDeleteResponseDto)
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class PaymentReceivesController {
   constructor(private paymentReceivesApplication: PaymentReceivesApplication) { }
 
@@ -94,6 +101,7 @@ export class PaymentReceivesController {
   }
 
   @Post()
+  @RequirePermission(PaymentReceiveAction.Create, AbilitySubject.PaymentReceive)
   @ApiOperation({ summary: 'Create a new payment received.' })
   public createPaymentReceived(
     @Body() paymentReceiveDTO: CreatePaymentReceivedDto,
@@ -104,6 +112,7 @@ export class PaymentReceivesController {
   }
 
   @Put(':id')
+  @RequirePermission(PaymentReceiveAction.Edit, AbilitySubject.PaymentReceive)
   @ApiOperation({ summary: 'Edit the given payment received.' })
   public editPaymentReceive(
     @Param('id', ParseIntPipe) paymentReceiveId: number,
@@ -116,6 +125,7 @@ export class PaymentReceivesController {
   }
 
   @Delete(':id')
+  @RequirePermission(PaymentReceiveAction.Delete, AbilitySubject.PaymentReceive)
   @ApiOperation({ summary: 'Delete the given payment received.' })
   public deletePaymentReceive(
     @Param('id', ParseIntPipe) paymentReceiveId: number,
@@ -126,6 +136,7 @@ export class PaymentReceivesController {
   }
 
   @Get()
+  @RequirePermission(PaymentReceiveAction.View, AbilitySubject.PaymentReceive)
   @ApiOperation({ summary: 'Retrieves the payment received list.' })
   @ApiResponse({
     status: 200,
@@ -151,6 +162,7 @@ export class PaymentReceivesController {
   }
 
   @Post('validate-bulk-delete')
+  @RequirePermission(PaymentReceiveAction.Delete, AbilitySubject.PaymentReceive)
   @ApiOperation({
     summary:
       'Validates which payments received can be deleted and returns the results.',
@@ -172,6 +184,7 @@ export class PaymentReceivesController {
   }
 
   @Post('bulk-delete')
+  @RequirePermission(PaymentReceiveAction.Delete, AbilitySubject.PaymentReceive)
   @ApiOperation({ summary: 'Deletes multiple payments received.' })
   @ApiResponse({
     status: 200,
@@ -187,6 +200,7 @@ export class PaymentReceivesController {
   }
 
   @Get('state')
+  @RequirePermission(PaymentReceiveAction.View, AbilitySubject.PaymentReceive)
   @ApiOperation({ summary: 'Retrieves the payment received state.' })
   @ApiResponse({
     status: 200,
@@ -200,6 +214,7 @@ export class PaymentReceivesController {
   }
 
   @Get(':id/invoices')
+  @RequirePermission(PaymentReceiveAction.View, AbilitySubject.PaymentReceive)
   @ApiOperation({ summary: 'Retrieves the payment received invoices.' })
   @ApiResponse({
     status: 200,
@@ -215,6 +230,7 @@ export class PaymentReceivesController {
   }
 
   @Get(':id')
+  @RequirePermission(PaymentReceiveAction.View, AbilitySubject.PaymentReceive)
   @ApiOperation({ summary: 'Retrieves the payment received details.' })
   @ApiResponse({
     status: 200,

packages/server/src/modules/PaymentReceived/PaymentsReceived.module.ts

@@ -1,5 +1,7 @@
 import { Module } from '@nestjs/common';
-import { BullModule } from '@nestjs/bull';
+import { BullBoardModule } from '@bull-board/nestjs';
+import { BullMQAdapter } from '@bull-board/api/bullMQAdapter';
+import { BullModule } from '@nestjs/bullmq';
 import { PaymentReceivesController } from './PaymentsReceived.controller';
 import { PaymentReceivesApplication } from './PaymentReceived.application';
 import { CreatePaymentReceivedService } from './commands/CreatePaymentReceived.serivce';
@@ -95,6 +97,10 @@ import { ValidateBulkDeletePaymentReceivedService } from './ValidateBulkDeletePa
     DynamicListModule,
     MailModule,
     BullModule.registerQueue({ name: SEND_PAYMENT_RECEIVED_MAIL_QUEUE }),
+    BullBoardModule.forFeature({
+      name: SEND_PAYMENT_RECEIVED_MAIL_QUEUE,
+      adapter: BullMQAdapter,
+    }),
   ],
 })
 export class PaymentsReceivedModule {}

packages/server/src/modules/PaymentReceived/processors/PaymentReceivedMailNotification.processor.ts

@@ -1,6 +1,6 @@
-import { JOB_REF, Process, Processor } from '@nestjs/bull';
-import { Job } from 'bull';
-import { Inject, Scope } from '@nestjs/common';
+import { Processor, WorkerHost } from '@nestjs/bullmq';
+import { Job } from 'bullmq';
+import { Scope } from '@nestjs/common';
 import { ClsService, UseCls } from 'nestjs-cls';
 import {
   SEND_PAYMENT_RECEIVED_MAIL_JOB,
@@ -13,20 +13,18 @@ import { SendPaymentReceivedMailPayload } from '../types/PaymentReceived.types';
   name: SEND_PAYMENT_RECEIVED_MAIL_QUEUE,
   scope: Scope.REQUEST,
 })
-export class SendPaymentReceivedMailProcessor {
+export class SendPaymentReceivedMailProcessor extends WorkerHost {
   constructor(
     private readonly sendPaymentReceivedMail: SendPaymentReceiveMailNotification,
     private readonly clsService: ClsService,
+  ) {
+    super();
+  }
 
-    @Inject(JOB_REF)
-    private readonly jobRef: Job<SendPaymentReceivedMailPayload>,
-  ) { }
-
-  @Process(SEND_PAYMENT_RECEIVED_MAIL_JOB)
   @UseCls()
-  async handleSendMail() {
+  async process(job: Job<SendPaymentReceivedMailPayload>) {
     const { messageOptions, paymentReceivedId, organizationId, userId } =
-      this.jobRef.data;
+      job.data;
 
     this.clsService.set('organizationId', organizationId);
     this.clsService.set('userId', userId);

packages/server/src/modules/Roles/Authorization.guard.ts

@@ -31,9 +31,10 @@ export class AuthorizationGuard implements CanActivate {
   async canActivate(context: ExecutionContext): Promise<boolean> {
     const request = context.switchToHttp().getRequest<Request>();
     const { user } = request as any;
+    const userId = this.clsService.get('userId');
 
-    if (ABILITIES_CACHE.has(user.id)) {
-      (request as any).ability = ABILITIES_CACHE.get(user.id);
+    if (ABILITIES_CACHE.has(userId)) {
+      (request as any).ability = ABILITIES_CACHE.get(userId);
     } else {
       const ability = await this.getAbilityForUser();
       (request as any).ability = ability;

packages/server/src/modules/Roles/Permission.guard.ts

@@ -0,0 +1,67 @@
+import {
+  Injectable,
+  CanActivate,
+  ExecutionContext,
+  ForbiddenException,
+} from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { Request } from 'express';
+import { REQUIRED_PERMISSION_KEY, RequiredPermission } from './RequirePermission.decorator';
+import { AbilitySubject } from './Roles.types';
+
+/**
+ * Guard that checks if the user has the required permission to access a route.
+ * Uses CASL ability instance attached to the request by AuthorizationGuard.
+ */
+@Injectable()
+export class PermissionGuard implements CanActivate {
+  constructor(private readonly reflector: Reflector) {}
+
+  /**
+   * Checks if the user has the required permission to access the route.
+   * @param context - The execution context
+   * @returns A boolean indicating if the user can access the route
+   * @throws ForbiddenException if the user doesn't have the required permission
+   */
+  canActivate(context: ExecutionContext): boolean {
+    const requiredPermission = this.reflector.getAllAndOverride<RequiredPermission>(
+      REQUIRED_PERMISSION_KEY,
+      [context.getHandler(), context.getClass()],
+    );
+
+    // If no permission is required, allow access
+    if (!requiredPermission) {
+      return true;
+    }
+
+    const request = context.switchToHttp().getRequest<Request>();
+    const ability = (request as any).ability;
+
+    // If no ability instance is attached to the request, deny access
+    if (!ability) {
+      throw new ForbiddenException('Ability instance not found. Ensure AuthorizationGuard is applied.');
+    }
+
+    const { ability: action, subject } = requiredPermission;
+
+    // Check if the user has the required permission using CASL ability
+    const hasPermission = ability.can(action, subject);
+
+    if (!hasPermission) {
+      throw new ForbiddenException(
+        `You do not have permission to ${action} ${subject}`,
+      );
+    }
+
+    return true;
+  }
+
+  /**
+   * Helper method to check if a subject value is a valid AbilitySubject.
+   * @param subject - The subject value to check
+   * @returns True if the subject is a valid AbilitySubject enum value
+   */
+  private isValidSubject(subject: string): subject is AbilitySubject {
+    return Object.values(AbilitySubject).includes(subject as AbilitySubject);
+  }
+}

packages/server/src/modules/Roles/RequirePermission.decorator.ts

@@ -0,0 +1,29 @@
+import { SetMetadata } from '@nestjs/common';
+import { AbilitySubject } from './Roles.types';
+
+export const REQUIRED_PERMISSION_KEY = 'requiredPermission';
+
+export interface RequiredPermission {
+  ability: string;
+  subject: AbilitySubject | string;
+}
+
+/**
+ * Decorator to specify required ability and subject for a route handler or controller.
+ * @param ability - The ability/action required (e.g., 'Create', 'View', 'Edit', 'Delete')
+ * @param subject - The subject/entity the ability applies to (e.g., AbilitySubject.Item, AbilitySubject.SaleInvoice)
+ * @example
+ * ```typescript
+ * @RequirePermission('Create', AbilitySubject.Item)
+ * @Post()
+ * async createItem(@Body() dto: CreateItemDto) { ... }
+ *
+ * @RequirePermission('View', AbilitySubject.SaleInvoice)
+ * @Get(':id')
+ * async getInvoice(@Param('id') id: number) { ... }
+ * ```
+ */
+export const RequirePermission = (
+  ability: string,
+  subject: AbilitySubject | string,
+) => SetMetadata(REQUIRED_PERMISSION_KEY, { ability, subject });

packages/server/src/modules/Roles/Roles.module.ts

@@ -10,6 +10,8 @@ import { RolePermission } from './models/RolePermission.model';
 import { RolesController } from './Roles.controller';
 import { RolesApplication } from './Roles.application';
 import { RolePermissionsSchema } from './queries/RolePermissionsSchema';
+import { AuthorizationGuard } from './Authorization.guard';
+import { PermissionGuard } from './Permission.guard';
 
 const models = [
   RegisterTenancyModel(Role),
@@ -25,9 +27,11 @@ const models = [
     GetRoleService,
     GetRolesService,
     RolesApplication,
-    RolePermissionsSchema
+    RolePermissionsSchema,
+    AuthorizationGuard,
+    PermissionGuard,
   ],
   controllers: [RolesController],
-  exports: [...models],
+  exports: [...models, AuthorizationGuard, PermissionGuard],
 })
 export class RolesModule {}

packages/server/src/modules/Roles/dtos/Role.dto.ts

@@ -1,3 +1,4 @@
+import { IsOptional } from '@/common/decorators/Validators';
 import { ApiProperty } from '@nestjs/swagger';
 import { Type } from 'class-transformer';
 import {
@@ -41,7 +42,7 @@ export class CommandRolePermissionDto {
 export class CreateRolePermissionDto extends CommandRolePermissionDto { }
 export class EditRolePermissionDto extends CommandRolePermissionDto {
   @IsNumber()
-  @IsNotEmpty()
+  @IsOptional()
   @ApiProperty({
     example: 1,
     description: 'The permission ID',
@@ -59,7 +60,6 @@ class CommandRoleDto {
   roleName: string;
 
   @IsString()
-  @IsNotEmpty()
   @ApiProperty({
     example: 'Administrator',
     description: 'The description of the role',
@@ -71,9 +71,9 @@ export class CreateRoleDto extends CommandRoleDto {
   @IsArray()
   @ArrayMinSize(1)
   @ValidateNested({ each: true })
-  @Type(() => CommandRolePermissionDto)
+  @Type(() => CreateRolePermissionDto)
   @ApiProperty({
-    type: [CommandRolePermissionDto],
+    type: [CreateRolePermissionDto],
     description: 'The permissions of the role',
   })
   permissions: Array<CreateRolePermissionDto>;

packages/server/src/modules/SaleEstimates/SaleEstimates.controller.ts

@@ -19,6 +19,7 @@ import {
   Put,
   Query,
   Res,
+  UseGuards,
 } from '@nestjs/common';
 import { SaleEstimatesApplication } from './SaleEstimates.application';
 import {
@@ -40,6 +41,11 @@ import {
   BulkDeleteDto,
   ValidateBulkDeleteResponseDto,
 } from '@/common/dtos/BulkDelete.dto';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { SaleEstimateAction } from './types/SaleEstimates.types';
 
 @Controller('sale-estimates')
 @ApiTags('Sale Estimates')
@@ -48,8 +54,10 @@ import {
 @ApiExtraModels(SaleEstiamteStateResponseDto)
 @ApiCommonHeaders()
 @ApiExtraModels(ValidateBulkDeleteResponseDto)
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class SaleEstimatesController {
   @Post('validate-bulk-delete')
+  @RequirePermission(SaleEstimateAction.Delete, AbilitySubject.SaleEstimate)
   @ApiOperation({
     summary:
       'Validates which sale estimates can be deleted and returns the results.',
@@ -71,6 +79,7 @@ export class SaleEstimatesController {
   }
 
   @Post('bulk-delete')
+  @RequirePermission(SaleEstimateAction.Delete, AbilitySubject.SaleEstimate)
   @ApiOperation({ summary: 'Deletes multiple sale estimates.' })
   @ApiResponse({
     status: 200,
@@ -93,6 +102,7 @@ export class SaleEstimatesController {
   ) { }
 
   @Post()
+  @RequirePermission(SaleEstimateAction.Create, AbilitySubject.SaleEstimate)
   @ApiOperation({ summary: 'Create a new sale estimate.' })
   @ApiResponse({
     status: 200,
@@ -105,6 +115,7 @@ export class SaleEstimatesController {
   }
 
   @Put(':id')
+  @RequirePermission(SaleEstimateAction.Edit, AbilitySubject.SaleEstimate)
   @ApiOperation({ summary: 'Edit the given sale estimate.' })
   @ApiResponse({
     status: 200,
@@ -131,6 +142,7 @@ export class SaleEstimatesController {
   }
 
   @Delete(':id')
+  @RequirePermission(SaleEstimateAction.Delete, AbilitySubject.SaleEstimate)
   @ApiOperation({ summary: 'Delete the given sale estimate.' })
   @ApiResponse({
     status: 200,
@@ -153,6 +165,7 @@ export class SaleEstimatesController {
   }
 
   @Get('state')
+  @RequirePermission(SaleEstimateAction.View, AbilitySubject.SaleEstimate)
   @ApiOperation({ summary: 'Retrieves the sale estimate state.' })
   @ApiResponse({
     status: 200,
@@ -166,6 +179,7 @@ export class SaleEstimatesController {
   }
 
   @Get()
+  @RequirePermission(SaleEstimateAction.View, AbilitySubject.SaleEstimate)
   @ApiOperation({ summary: 'Retrieves the sale estimates.' })
   @ApiResponse({
     status: 200,
@@ -189,6 +203,7 @@ export class SaleEstimatesController {
   }
 
   @Post(':id/deliver')
+  @RequirePermission(SaleEstimateAction.Edit, AbilitySubject.SaleEstimate)
   @ApiOperation({ summary: 'Deliver the given sale estimate.' })
   @ApiResponse({
     status: 200,
@@ -207,6 +222,7 @@ export class SaleEstimatesController {
   }
 
   @Put(':id/approve')
+  @RequirePermission(SaleEstimateAction.Edit, AbilitySubject.SaleEstimate)
   @ApiOperation({ summary: 'Approve the given sale estimate.' })
   @ApiParam({
     name: 'id',
@@ -221,6 +237,7 @@ export class SaleEstimatesController {
   }
 
   @Put(':id/reject')
+  @RequirePermission(SaleEstimateAction.Edit, AbilitySubject.SaleEstimate)
   @ApiOperation({ summary: 'Reject the given sale estimate.' })
   @ApiParam({
     name: 'id',
@@ -235,6 +252,7 @@ export class SaleEstimatesController {
   }
 
   @Post(':id/notify-sms')
+  @RequirePermission(SaleEstimateAction.NotifyBySms, AbilitySubject.SaleEstimate)
   @ApiOperation({ summary: 'Notify the given sale estimate by SMS.' })
   @ApiParam({
     name: 'id',
@@ -251,6 +269,7 @@ export class SaleEstimatesController {
   }
 
   @Get(':id/sms-details')
+  @RequirePermission(SaleEstimateAction.View, AbilitySubject.SaleEstimate)
   @ApiOperation({ summary: 'Retrieves the sale estimate SMS details.' })
   public getSaleEstimateSmsDetails(
     @Param('id', ParseIntPipe) saleEstimateId: number,
@@ -262,6 +281,7 @@ export class SaleEstimatesController {
 
   @Post(':id/mail')
   @HttpCode(200)
+  @RequirePermission(SaleEstimateAction.Edit, AbilitySubject.SaleEstimate)
   @ApiOperation({ summary: 'Send the given sale estimate by mail.' })
   @ApiParam({
     name: 'id',
@@ -280,6 +300,7 @@ export class SaleEstimatesController {
   }
 
   @Get(':id/mail')
+  @RequirePermission(SaleEstimateAction.View, AbilitySubject.SaleEstimate)
   @ApiOperation({ summary: 'Retrieves the sale estimate mail state.' })
   @ApiParam({
     name: 'id',
@@ -296,6 +317,7 @@ export class SaleEstimatesController {
   }
 
   @Get(':id')
+  @RequirePermission(SaleEstimateAction.View, AbilitySubject.SaleEstimate)
   @ApiOperation({
     summary: 'Retrieves the sale estimate details.',
   })

packages/server/src/modules/SaleEstimates/SaleEstimates.module.ts

@@ -1,5 +1,7 @@
 import { Module } from '@nestjs/common';
-import { BullModule } from '@nestjs/bull';
+import { BullBoardModule } from '@bull-board/nestjs';
+import { BullMQAdapter } from '@bull-board/api/bullMQAdapter';
+import { BullModule } from '@nestjs/bullmq';
 import { TenancyContext } from '../Tenancy/TenancyContext.service';
 import { TenancyDatabaseModule } from '../Tenancy/TenancyDB/TenancyDB.module';
 import { TransformerInjectable } from '../Transformer/TransformerInjectable.service';
@@ -54,6 +56,10 @@ import { SendSaleEstimateMailProcess } from './processes/SendSaleEstimateMail.pr
     TemplateInjectableModule,
     PdfTemplatesModule,
     BullModule.registerQueue({ name: SendSaleEstimateMailQueue }),
+    BullBoardModule.forFeature({
+      name: SendSaleEstimateMailQueue,
+      adapter: BullMQAdapter,
+    }),
   ],
   controllers: [SaleEstimatesController],
   providers: [
@@ -99,4 +105,4 @@ import { SendSaleEstimateMailProcess } from './processes/SendSaleEstimateMail.pr
     GetSaleEstimateMailTemplateService,
   ],
 })
-export class SaleEstimatesModule { }
+export class SaleEstimatesModule {}

packages/server/src/modules/SaleEstimates/commands/SendSaleEstimateMail.ts

@@ -1,5 +1,5 @@
 import { InjectQueue } from '@nestjs/bullmq';
-import { Queue } from 'bull';
+import { Queue } from 'bullmq';
 import { Inject, Injectable } from '@nestjs/common';
 import { EventEmitter2 } from '@nestjs/event-emitter';
 import { ContactMailNotification } from '@/modules/MailNotification/ContactMailNotification';

packages/server/src/modules/SaleEstimates/processes/SendSaleEstimateMail.process.ts

@@ -1,7 +1,6 @@
-import { Process, Processor } from '@nestjs/bull';
-import { Job } from 'bull';
-import { Inject, Scope } from '@nestjs/common';
-import { JOB_REF } from '@nestjs/bull';
+import { Processor, WorkerHost } from '@nestjs/bullmq';
+import { Job } from 'bullmq';
+import { Scope } from '@nestjs/common';
 import {
   SendSaleEstimateMailJob,
   SendSaleEstimateMailQueue,
@@ -13,18 +12,17 @@ import { ClsService, UseCls } from 'nestjs-cls';
   name: SendSaleEstimateMailQueue,
   scope: Scope.REQUEST,
 })
-export class SendSaleEstimateMailProcess {
+export class SendSaleEstimateMailProcess extends WorkerHost {
   constructor(
     private readonly sendEstimateMailService: SendSaleEstimateMail,
     private readonly clsService: ClsService,
-    @Inject(JOB_REF)
-    private readonly jobRef: Job,
-  ) { }
+  ) {
+    super();
+  }
 
-  @Process(SendSaleEstimateMailJob)
   @UseCls()
-  async handleSendMail() {
-    const { saleEstimateId, messageOptions, organizationId, userId } = this.jobRef.data;
+  async process(job: Job) {
+    const { saleEstimateId, messageOptions, organizationId, userId } = job.data;
 
     this.clsService.set('organizationId', organizationId);
     this.clsService.set('userId', userId);

packages/server/src/modules/SaleInvoices/SaleInvoices.controller.ts

@@ -12,6 +12,7 @@ import {
   Put,
   Query,
   Res,
+  UseGuards,
 } from '@nestjs/common';
 import {
   ISaleInvoiceWriteoffDTO,
@@ -43,6 +44,11 @@ import {
   BulkDeleteDto,
   ValidateBulkDeleteResponseDto,
 } from '@/common/dtos/BulkDelete.dto';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { SaleInvoiceAction } from './SaleInvoice.types';
 
 @Controller('sale-invoices')
 @ApiTags('Sale Invoices')
@@ -52,10 +58,12 @@ import {
 @ApiExtraModels(GenerateSaleInvoiceSharableLinkResponseDto)
 @ApiCommonHeaders()
 @ApiExtraModels(ValidateBulkDeleteResponseDto)
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class SaleInvoicesController {
   constructor(private saleInvoiceApplication: SaleInvoiceApplication) { }
 
   @Post('validate-bulk-delete')
+  @RequirePermission(SaleInvoiceAction.Delete, AbilitySubject.SaleInvoice)
   @ApiOperation({
     summary:
       'Validates which sale invoices can be deleted and returns the results.',
@@ -77,6 +85,7 @@ export class SaleInvoicesController {
   }
 
   @Post('bulk-delete')
+  @RequirePermission(SaleInvoiceAction.Delete, AbilitySubject.SaleInvoice)
   @ApiOperation({ summary: 'Deletes multiple sale invoices.' })
   @ApiResponse({
     status: 200,
@@ -90,6 +99,7 @@ export class SaleInvoicesController {
   }
 
   @Post()
+  @RequirePermission(SaleInvoiceAction.Create, AbilitySubject.SaleInvoice)
   @ApiOperation({ summary: 'Create a new sale invoice.' })
   @ApiResponse({
     status: 201,
@@ -121,6 +131,7 @@ export class SaleInvoicesController {
   }
 
   @Put(':id')
+  @RequirePermission(SaleInvoiceAction.Edit, AbilitySubject.SaleInvoice)
   @ApiOperation({ summary: 'Edit the given sale invoice.' })
   @ApiResponse({
     status: 200,
@@ -141,6 +152,7 @@ export class SaleInvoicesController {
   }
 
   @Delete(':id')
+  @RequirePermission(SaleInvoiceAction.Delete, AbilitySubject.SaleInvoice)
   @ApiOperation({ summary: 'Delete the given sale invoice.' })
   @ApiResponse({
     status: 200,
@@ -158,6 +170,7 @@ export class SaleInvoicesController {
   }
 
   @Get('receivable')
+  @RequirePermission(SaleInvoiceAction.View, AbilitySubject.SaleInvoice)
   @ApiOperation({ summary: 'Retrieves the receivable sale invoices.' })
   @ApiResponse({
     status: 200,
@@ -176,6 +189,7 @@ export class SaleInvoicesController {
   }
 
   @Get('state')
+  @RequirePermission(SaleInvoiceAction.View, AbilitySubject.SaleInvoice)
   @ApiOperation({ summary: 'Retrieves the sale invoice state.' })
   @ApiResponse({
     status: 200,
@@ -190,6 +204,7 @@ export class SaleInvoicesController {
   }
 
   @Get(':id')
+  @RequirePermission(SaleInvoiceAction.View, AbilitySubject.SaleInvoice)
   @ApiOperation({ summary: 'Retrieves the sale invoice details.' })
   @ApiResponse({
     status: 200,
@@ -228,6 +243,7 @@ export class SaleInvoicesController {
   }
 
   @Get()
+  @RequirePermission(SaleInvoiceAction.View, AbilitySubject.SaleInvoice)
   @ApiOperation({ summary: 'Retrieves the sale invoices.' })
   @ApiResponse({
     status: 200,
@@ -251,6 +267,7 @@ export class SaleInvoicesController {
   }
 
   @Put(':id/deliver')
+  @RequirePermission(SaleInvoiceAction.Edit, AbilitySubject.SaleInvoice)
   @ApiOperation({ summary: 'Deliver the given sale invoice.' })
   @ApiResponse({
     status: 200,
@@ -269,6 +286,7 @@ export class SaleInvoicesController {
   }
 
   @Post(':id/writeoff')
+  @RequirePermission(SaleInvoiceAction.Writeoff, AbilitySubject.SaleInvoice)
   @ApiOperation({ summary: 'Write off the given sale invoice.' })
   @HttpCode(200)
   @ApiResponse({
@@ -290,6 +308,7 @@ export class SaleInvoicesController {
   }
 
   @Post(':id/cancel-writeoff')
+  @RequirePermission(SaleInvoiceAction.Writeoff, AbilitySubject.SaleInvoice)
   @ApiOperation({ summary: 'Cancel the written off sale invoice.' })
   @ApiResponse({
     status: 200,
@@ -309,6 +328,7 @@ export class SaleInvoicesController {
   }
 
   @Get(':id/payments')
+  @RequirePermission(SaleInvoiceAction.View, AbilitySubject.SaleInvoice)
   @ApiOperation({ summary: 'Retrieves the sale invoice payments.' })
   @ApiResponse({ status: 404, description: 'The sale invoice not found.' })
   @ApiParam({
@@ -322,6 +342,7 @@ export class SaleInvoicesController {
   }
 
   @Get(':id/html')
+  @RequirePermission(SaleInvoiceAction.View, AbilitySubject.SaleInvoice)
   @ApiOperation({ summary: 'Retrieves the sale invoice HTML.' })
   @ApiResponse({ status: 404, description: 'The sale invoice not found.' })
   @ApiParam({
@@ -335,6 +356,7 @@ export class SaleInvoicesController {
   }
 
   @Get(':id/mail')
+  @RequirePermission(SaleInvoiceAction.View, AbilitySubject.SaleInvoice)
   @ApiOperation({ summary: 'Retrieves the sale invoice mail state.' })
   @ApiResponse({
     status: 200,
@@ -354,6 +376,7 @@ export class SaleInvoicesController {
   }
 
   @Post(':id/generate-link')
+  @RequirePermission(SaleInvoiceAction.Edit, AbilitySubject.SaleInvoice)
   @ApiOperation({
     summary: 'Generate sharable sale invoice link (private or public)',
   })

packages/server/src/modules/SaleInvoices/SaleInvoices.module.ts

@@ -45,7 +45,9 @@ import { SendSaleInvoiceMailCommon } from './commands/SendInvoiceInvoiceMailComm
 import { DynamicListModule } from '../DynamicListing/DynamicList.module';
 import { MailNotificationModule } from '../MailNotification/MailNotification.module';
 import { SendSaleInvoiceMailProcessor } from './processors/SendSaleInvoiceMail.processor';
-import { BullModule } from '@nestjs/bull';
+import { BullBoardModule } from '@bull-board/nestjs';
+import { BullMQAdapter } from '@bull-board/api/bullMQAdapter';
+import { BullModule } from '@nestjs/bullmq';
 import { SendSaleInvoiceQueue } from './constants';
 import { InvoicePaymentIntegrationSubscriber } from './subscribers/InvoicePaymentIntegrationSubscriber';
 import { InvoiceChangeStatusOnMailSentSubscriber } from './subscribers/InvoiceChangeStatusOnMailSentSubscriber';
@@ -81,6 +83,10 @@ import { ValidateBulkDeleteSaleInvoicesService } from './ValidateBulkDeleteSaleI
     forwardRef(() => PaymentLinksModule),
     DynamicListModule,
     BullModule.registerQueue({ name: SendSaleInvoiceQueue }),
+    BullBoardModule.forFeature({
+      name: SendSaleInvoiceQueue,
+      adapter: BullMQAdapter,
+    }),
   ],
   controllers: [SaleInvoicesController],
   providers: [
@@ -139,4 +145,4 @@ import { ValidateBulkDeleteSaleInvoicesService } from './ValidateBulkDeleteSaleI
     SaleInvoicesImportable,
   ],
 })
-export class SaleInvoicesModule { }
+export class SaleInvoicesModule {}

packages/server/src/modules/SaleInvoices/processors/SendSaleInvoiceMail.processor.ts

@@ -1,9 +1,8 @@
-import { JOB_REF, Process, Processor } from '@nestjs/bull';
-import { Job } from 'bull';
+import { Processor, WorkerHost } from '@nestjs/bullmq';
+import { Job } from 'bullmq';
 import { SendSaleInvoiceMailJob, SendSaleInvoiceQueue } from '../constants';
 import { SendSaleInvoiceMail } from '../commands/SendSaleInvoiceMail';
-import { Inject, Scope } from '@nestjs/common';
-import { REQUEST } from '@nestjs/core';
+import { Scope } from '@nestjs/common';
 import { ClsService, UseCls } from 'nestjs-cls';
 import { SendSaleInvoiceMailJobPayload } from '../SaleInvoice.types';
 
@@ -11,20 +10,18 @@ import { SendSaleInvoiceMailJobPayload } from '../SaleInvoice.types';
   name: SendSaleInvoiceQueue,
   scope: Scope.REQUEST,
 })
-export class SendSaleInvoiceMailProcessor {
+export class SendSaleInvoiceMailProcessor extends WorkerHost {
   constructor(
     private readonly sendSaleInvoiceMail: SendSaleInvoiceMail,
-    @Inject(REQUEST) private readonly request: Request,
-    @Inject(JOB_REF)
-    private readonly jobRef: Job<SendSaleInvoiceMailJobPayload>,
     private readonly clsService: ClsService,
-  ) { }
+  ) {
+    super();
+  }
 
-  @Process(SendSaleInvoiceMailJob)
   @UseCls()
-  async handleSendInvoice() {
+  async process(job: Job<SendSaleInvoiceMailJobPayload>) {
     const { messageOptions, saleInvoiceId, organizationId, userId } =
-      this.jobRef.data;
+      job.data;
 
     this.clsService.set('organizationId', organizationId);
     this.clsService.set('userId', userId);

packages/server/src/modules/SaleReceipts/SaleReceipts.module.ts

@@ -1,5 +1,7 @@
 import { Module } from '@nestjs/common';
-import { BullModule } from '@nestjs/bull';
+import { BullBoardModule } from '@bull-board/nestjs';
+import { BullMQAdapter } from '@bull-board/api/bullMQAdapter';
+import { BullModule } from '@nestjs/bullmq';
 import { SaleReceiptApplication } from './SaleReceiptApplication.service';
 import { CreateSaleReceipt } from './commands/CreateSaleReceipt.service';
 import { EditSaleReceipt } from './commands/EditSaleReceipt.service';
@@ -62,6 +64,10 @@ import { ValidateBulkDeleteSaleReceiptsService } from './ValidateBulkDeleteSaleR
     MailModule,
     MailNotificationModule,
     BullModule.registerQueue({ name: SendSaleReceiptMailQueue }),
+    BullBoardModule.forFeature({
+      name: SendSaleReceiptMailQueue,
+      adapter: BullMQAdapter,
+    }),
   ],
   providers: [
     TenancyContext,
@@ -95,4 +101,4 @@ import { ValidateBulkDeleteSaleReceiptsService } from './ValidateBulkDeleteSaleR
     ValidateBulkDeleteSaleReceiptsService,
   ],
 })
-export class SaleReceiptsModule { }
+export class SaleReceiptsModule {}

packages/server/src/modules/SaleReceipts/commands/SaleReceiptMailNotification.ts

@@ -1,4 +1,4 @@
-import { InjectQueue } from '@nestjs/bull';
+import { InjectQueue } from '@nestjs/bullmq';
 import { Queue } from 'bullmq';
 import {
   DEFAULT_RECEIPT_MAIL_CONTENT,

packages/server/src/modules/SaleReceipts/processes/SendSaleReceiptMail.process.ts

@@ -1,30 +1,26 @@
-import { Process, Processor } from '@nestjs/bull';
-import { Job } from 'bull';
-import { Inject, Scope } from '@nestjs/common';
-import { JOB_REF } from '@nestjs/bull';
+import { Processor, WorkerHost } from '@nestjs/bullmq';
+import { Job } from 'bullmq';
+import { Scope } from '@nestjs/common';
 import { SendSaleReceiptMailQueue, SendSaleReceiptMailJob } from '../constants';
 import { SaleReceiptMailNotification } from '../commands/SaleReceiptMailNotification';
-import { SaleReceiptSendMailPayload } from '../types/SaleReceipts.types';
 import { ClsService, UseCls } from 'nestjs-cls';
 
 @Processor({
   name: SendSaleReceiptMailQueue,
   scope: Scope.REQUEST,
 })
-export class SendSaleReceiptMailProcess {
+export class SendSaleReceiptMailProcess extends WorkerHost {
   constructor(
     private readonly saleReceiptMailNotification: SaleReceiptMailNotification,
     private readonly clsService: ClsService,
+  ) {
+    super();
+  }
 
-    @Inject(JOB_REF)
-    private readonly jobRef: Job<SaleReceiptSendMailPayload>,
-  ) { }
-
-  @Process(SendSaleReceiptMailJob)
   @UseCls()
-  async handleSendMailJob() {
+  async process(job: Job) {
     const { messageOpts, saleReceiptId, organizationId, userId } =
-      this.jobRef.data;
+      job.data;
 
     this.clsService.set('organizationId', organizationId);
     this.clsService.set('userId', userId);

packages/server/src/modules/Settings/Settings.controller.ts

@@ -1,16 +1,22 @@
 import { ApiOperation, ApiTags } from '@nestjs/swagger';
-import { Body, Controller, Get, Put } from '@nestjs/common';
+import { Body, Controller, Get, Put, UseGuards } from '@nestjs/common';
 import { SettingsApplicationService } from './SettingsApplication.service';
-import { ISettingsDTO } from './Settings.types';
+import { ISettingsDTO, PreferencesAction } from './Settings.types';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
 
 @Controller('settings')
 @ApiTags('Settings')
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class SettingsController {
   constructor(
     private readonly settingsApplicationService: SettingsApplicationService,
   ) {}
 
   @Put()
+  @RequirePermission(PreferencesAction.Mutate, AbilitySubject.Preferences)
   @ApiOperation({ summary: 'Save the given settings.' })
   async saveSettings(@Body() settingsDTO: ISettingsDTO) {
     return this.settingsApplicationService.saveSettings(settingsDTO);

packages/server/src/modules/System/SystemDB/SystemDB.controller.ts

@@ -1,12 +1,14 @@
-import { Controller, Get, Post } from '@nestjs/common';
+import { Controller, Get, HttpCode } from '@nestjs/common';
+import { PublicRoute } from '@/modules/Auth/guards/jwt.guard';
 
-@Controller('/system_db')
+@Controller('system_db')
+@PublicRoute()
 export class SystemDatabaseController {
   constructor() {}
 
-  @Post()
   @Get()
-  ping(){
-    
+  @HttpCode(200)
+  ping() {
+    return { status: 'ok' };
   }
 }

packages/server/src/modules/System/SystemDB/SystemDB.module.ts

@@ -6,6 +6,7 @@ import {
   SystemKnexConnectionConfigure,
 } from './SystemDB.constants';
 import { knexSnakeCaseMappers } from 'objection';
+import { SystemDatabaseController } from './SystemDB.controller';
 
 const providers = [
   {
@@ -22,6 +23,7 @@ const providers = [
       },
       migrations: {
         directory: configService.get('systemDatabase.migrationDir'),
+        loadExtensions: ['.js'],
       },
       seeds: {
         directory: configService.get('systemDatabase.seedsDir'),
@@ -41,6 +43,7 @@ const providers = [
 
 @Global()
 @Module({
+  controllers: [SystemDatabaseController],
   providers: [...providers],
   exports: [...providers],
 })

packages/server/src/modules/TaxRates/TaxRate.application.ts

@@ -62,10 +62,11 @@ export class TaxRatesApplication {
 
   /**
    * Retrieves the tax rates list.
-   * @returns {Promise<ITaxRate[]>}
+   * @returns {Promise<{ data: ITaxRate[] }>}
    */
-  public getTaxRates() {
-    return this.getTaxRatesService.getTaxRates();
+  public async getTaxRates() {
+    const taxRates = await this.getTaxRatesService.getTaxRates();
+    return { data: taxRates };
   }
 
   /**

packages/server/src/modules/TaxRates/TaxRate.controller.ts

@@ -6,6 +6,7 @@ import {
   Param,
   Post,
   Put,
+  UseGuards,
 } from '@nestjs/common';
 import { TaxRatesApplication } from './TaxRate.application';
 import {
@@ -18,15 +19,22 @@ import {
 import { CreateTaxRateDto, EditTaxRateDto } from './dtos/TaxRate.dto';
 import { TaxRateResponseDto } from './dtos/TaxRateResponse.dto';
 import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { TaxRateAction } from './TaxRates.types';
 
 @Controller('tax-rates')
 @ApiTags('Tax Rates')
 @ApiExtraModels(TaxRateResponseDto)
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class TaxRatesController {
   constructor(private readonly taxRatesApplication: TaxRatesApplication) { }
 
   @Post()
+  @RequirePermission(TaxRateAction.CREATE, AbilitySubject.TaxRate)
   @ApiOperation({ summary: 'Create a new tax rate.' })
   @ApiResponse({
     status: 201,
@@ -38,6 +46,7 @@ export class TaxRatesController {
   }
 
   @Put(':id')
+  @RequirePermission(TaxRateAction.EDIT, AbilitySubject.TaxRate)
   @ApiOperation({ summary: 'Edit the given tax rate.' })
   @ApiResponse({
     status: 200,
@@ -54,6 +63,7 @@ export class TaxRatesController {
   }
 
   @Delete(':id')
+  @RequirePermission(TaxRateAction.DELETE, AbilitySubject.TaxRate)
   @ApiOperation({ summary: 'Delete the given tax rate.' })
   @ApiResponse({
     status: 200,
@@ -67,6 +77,7 @@ export class TaxRatesController {
   }
 
   @Get(':id')
+  @RequirePermission(TaxRateAction.VIEW, AbilitySubject.TaxRate)
   @ApiOperation({ summary: 'Retrieves the tax rate details.' })
   @ApiResponse({
     status: 200,
@@ -80,14 +91,20 @@ export class TaxRatesController {
   }
 
   @Get()
+  @RequirePermission(TaxRateAction.VIEW, AbilitySubject.TaxRate)
   @ApiOperation({ summary: 'Retrieves the tax rates.' })
   @ApiResponse({
     status: 200,
     description: 'The tax rates have been successfully retrieved.',
     schema: {
-      type: 'array',
-      items: {
-        $ref: getSchemaPath(TaxRateResponseDto),
+      type: 'object',
+      properties: {
+        data: {
+          type: 'array',
+          items: {
+            $ref: getSchemaPath(TaxRateResponseDto),
+          },
+        },
       },
     },
   })
@@ -96,6 +113,7 @@ export class TaxRatesController {
   }
 
   @Put(':id/activate')
+  @RequirePermission(TaxRateAction.EDIT, AbilitySubject.TaxRate)
   @ApiOperation({ summary: 'Activate the given tax rate.' })
   @ApiResponse({
     status: 200,
@@ -109,6 +127,7 @@ export class TaxRatesController {
   }
 
   @Put(':id/inactivate')
+  @RequirePermission(TaxRateAction.EDIT, AbilitySubject.TaxRate)
   @ApiOperation({ summary: 'Inactivate the given tax rate.' })
   @ApiResponse({
     status: 200,

packages/server/src/modules/TaxRates/dtos/TaxRate.dto.ts

@@ -1,3 +1,4 @@
+import { ToNumber } from '@/common/decorators/Validators';
 import { ApiProperty } from '@nestjs/swagger';
 import { Transform } from 'class-transformer';
 import {
@@ -30,6 +31,7 @@ export class CommandTaxRateDto {
    */
   @IsNumber()
   @IsNotEmpty()
+  @ToNumber()
   @ApiProperty({
     description: 'The rate of the tax rate.',
     example: 10,

packages/server/src/modules/Tenancy/TenancyDB/TenancyDB.module.ts

@@ -33,6 +33,7 @@ export const TenancyDatabaseProxyProvider = ClsModule.forFeatureAsync({
       },
       migrations: {
         directory: configService.get('tenantDatabase.migrationsDir'),
+        loadExtensions: ['.js'],
       },
       seeds: {
         directory: configService.get('tenantDatabase.seedsDir'),

packages/server/src/modules/UsersModule/Users.controller.ts

@@ -22,7 +22,7 @@ export class UsersController {
   /**
    * Edit details of the given user.
    */
-  @Post(':id')
+  @Put(':id')
   @ApiOperation({ summary: 'Edit details of the given user.' })
   @ApiResponse({
     status: 200,

packages/server/src/modules/UsersModule/Users.module.ts

@@ -1,4 +1,7 @@
 import { Module } from '@nestjs/common';
+import { BullModule } from '@nestjs/bullmq';
+import { BullBoardModule } from '@bull-board/nestjs';
+import { BullMQAdapter } from '@bull-board/api/bullMQAdapter';
 import { ActivateUserService } from './commands/ActivateUser.service';
 import { DeleteUserService } from './commands/DeleteUser.service';
 import { EditUserService } from './commands/EditUser.service';
@@ -18,11 +21,24 @@ import { AcceptInviteUserService } from './commands/AcceptInviteUser.service';
 import { InviteTenantUserService } from './commands/InviteUser.service';
 import { UsersInviteController } from './UsersInvite.controller';
 import { InjectSystemModel } from '../System/SystemModels/SystemModels.module';
+import { SendInviteUserMailQueue } from './Users.constants';
+import InviteSendMainNotificationSubscribe from './subscribers/InviteSendMailNotification.subscriber';
+import { SendInviteUserMailProcessor } from './processors/SendInviteUserMail.processor';
+import { SendInviteUsersMailMessage } from './commands/SendInviteUsersMailMessage.service';
+import { MailModule } from '../Mail/Mail.module';
 
 const models = [InjectSystemModel(UserInvite)];
 
 @Module({
-  imports: [TenancyModule],
+  imports: [
+    TenancyModule,
+    MailModule,
+    BullModule.registerQueue({ name: SendInviteUserMailQueue }),
+    BullBoardModule.forFeature({
+      name: SendInviteUserMailQueue,
+      adapter: BullMQAdapter,
+    }),
+  ],
   exports: [...models],
   providers: [
     ...models,
@@ -39,6 +55,9 @@ const models = [InjectSystemModel(UserInvite)];
     SyncTenantUserMutateSubscriber,
     SyncSystemSendInviteSubscriber,
     SyncTenantAcceptInviteSubscriber,
+    InviteSendMainNotificationSubscribe,
+    SendInviteUserMailProcessor,
+    SendInviteUsersMailMessage,
     UsersApplication
   ],
   controllers: [UsersController, UsersInviteController],

packages/server/src/modules/UsersModule/Users.types.ts

@@ -32,10 +32,12 @@ export interface ITenantUserDeletedPayload {
 export interface IUserInvitedEventPayload {
   inviteToken: string;
   user: ModelObject<TenantUser>;
+  invitingUser: ModelObject<TenantUser>;
 }
 export interface IUserInviteTenantSyncedEventPayload {
   invite: ModelObject<UserInvite>;
   user: ModelObject<TenantUser>;
+  invitingUser: ModelObject<TenantUser>;
 }
 
 export interface IUserInviteResendEventPayload {

packages/server/src/modules/UsersModule/commands/InactivateUser.service.ts

@@ -43,11 +43,11 @@ export class InactivateUserService {
     // Throw serivce error if the user is already inactivated.
     this.throwErrorIfUserInactive(tenantUser);
 
-    // Marks the tenant user as active.
+    // Marks the tenant user as inactive.
     await this.tenantUserModel()
       .query()
       .findById(userId)
-      .update({ active: true });
+      .update({ active: false });
 
     // Triggers `onTenantUserActivated` event.
     await this.eventEmitter.emitAsync(events.tenantUser.onInactivated, {

packages/server/src/modules/UsersModule/commands/InviteUser.service.ts

@@ -15,11 +15,13 @@ import { events } from '@/common/events/events';
 import { Role } from '@/modules/Roles/models/Role.model';
 import { ModelObject } from 'objection';
 import { SendInviteUserDto } from '../dtos/InviteUser.dto';
+import { TenancyContext } from '@/modules/Tenancy/TenancyContext.service';
 
 @Injectable()
 export class InviteTenantUserService {
   constructor(
     private readonly eventEmitter: EventEmitter2,
+    private readonly tenancyContext: TenancyContext,
 
     @Inject(TenantUser.name)
     private readonly tenantUserModel: TenantModelProxy<typeof TenantUser>,
@@ -53,10 +55,18 @@ export class InviteTenantUserService {
       active: true,
       invitedAt: new Date(),
     });
+
+    // Retrieves the authorized user (inviting user).
+    const authorizedUser = await this.tenancyContext.getSystemUser();
+    const invitingUser = await this.tenantUserModel()
+      .query()
+      .findOne({ systemUserId: authorizedUser.id });
+
     // Triggers `onUserSendInvite` event.
     await this.eventEmitter.emitAsync(events.inviteUser.sendInvite, {
       inviteToken,
       user,
+      invitingUser,
     } as IUserInvitedEventPayload);
 
     return { invitedUser: user };

packages/server/src/modules/UsersModule/commands/SendInviteUsersMailMessage.service.ts

@@ -27,7 +27,7 @@ export class SendInviteUsersMailMessage {
     invite: ModelObject<UserInvite>,
   ) {
     const tenant = await this.tenancyContext.getTenant(true);
-    const root = path.join(global.__views_dir, '/images/bigcapital.png');
+    const root = path.join(global.__images_dirname, '/bigcapital.png');
     const baseURL = this.configService.get('baseURL');
 
     const mail = new Mail()

packages/server/src/modules/UsersModule/processors/SendInviteUserMail.processor.ts

@@ -1,7 +1,6 @@
-import { JOB_REF, Process, Processor } from '@nestjs/bull';
-import { Job } from 'bull';
-import { Inject, Scope } from '@nestjs/common';
-import { REQUEST } from '@nestjs/core';
+import { Processor, WorkerHost } from '@nestjs/bullmq';
+import { Job } from 'bullmq';
+import { Scope } from '@nestjs/common';
 import { ClsService, UseCls } from 'nestjs-cls';
 import {
   SendInviteUserMailJob,
@@ -14,19 +13,17 @@ import { SendInviteUsersMailMessage } from '../commands/SendInviteUsersMailMessa
   name: SendInviteUserMailQueue,
   scope: Scope.REQUEST,
 })
-export class SendInviteUserMailProcessor {
+export class SendInviteUserMailProcessor extends WorkerHost {
   constructor(
     private readonly sendInviteUsersMailService: SendInviteUsersMailMessage,
-    @Inject(REQUEST) private readonly request: Request,
-    @Inject(JOB_REF)
-    private readonly jobRef: Job<SendInviteUserMailJobPayload>,
     private readonly clsService: ClsService,
-  ) { }
+  ) {
+    super();
+  }
 
-  @Process(SendInviteUserMailJob)
   @UseCls()
-  async handleSendInviteMail() {
-    const { fromUser, invite, organizationId, userId } = this.jobRef.data;
+  async process(job: Job<SendInviteUserMailJobPayload>) {
+    const { fromUser, invite, organizationId, userId } = job.data;
 
     this.clsService.set('organizationId', organizationId);
     this.clsService.set('userId', userId);

packages/server/src/modules/UsersModule/subscribers/InviteSendMailNotification.subscriber.ts

@@ -1,6 +1,6 @@
 import { Injectable } from '@nestjs/common';
-import { InjectQueue } from '@nestjs/bull';
-import { Queue } from 'bull';
+import { InjectQueue } from '@nestjs/bullmq';
+import { Queue } from 'bullmq';
 import { events } from '@/common/events/events';
 import { OnEvent } from '@nestjs/event-emitter';
 import {
@@ -29,6 +29,7 @@ export default class InviteSendMainNotificationSubscribe {
   async sendMailNotification({
     invite,
     user,
+    invitingUser,
   }: IUserInviteTenantSyncedEventPayload) {
     const tenant = await this.tenancyContext.getTenant();
     const authedUser = await this.tenancyContext.getSystemUser();
@@ -37,7 +38,7 @@ export default class InviteSendMainNotificationSubscribe {
     const userId = authedUser.id;
 
     this.sendInviteMailQueue.add(SendInviteUserMailJob, {
-      fromUser: user,
+      fromUser: invitingUser,
       invite,
       userId,
       organizationId,

packages/server/src/modules/UsersModule/subscribers/SyncSystemSendInvite.subscriber.ts

@@ -33,7 +33,7 @@ export class SyncSystemSendInviteSubscriber {
    * @param {IUserInvitedEventPayload} payload -
    */
   @OnEvent(events.inviteUser.sendInvite)
-  async syncSendInviteSystem({ inviteToken, user }: IUserInvitedEventPayload) {
+  async syncSendInviteSystem({ inviteToken, user, invitingUser }: IUserInvitedEventPayload) {
     const authorizedUser = await this.tenancyContext.getSystemUser();
     const tenantId = authorizedUser.tenantId;
 
@@ -63,6 +63,7 @@ export class SyncSystemSendInviteSubscriber {
       {
         invite,
         user,
+        invitingUser,
       } as IUserInviteTenantSyncedEventPayload,
     );
   }

packages/server/src/modules/VendorCredit/VendorCredits.controller.ts

@@ -7,6 +7,7 @@ import {
   Post,
   Put,
   Query,
+  UseGuards,
 } from '@nestjs/common';
 import { VendorCreditsApplicationService } from './VendorCreditsApplication.service';
 import { IVendorCreditsQueryDTO } from './types/VendorCredit.types';
@@ -26,17 +27,24 @@ import {
   BulkDeleteDto,
   ValidateBulkDeleteResponseDto,
 } from '@/common/dtos/BulkDelete.dto';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { VendorCreditAction } from './types/VendorCredit.types';
 
 @Controller('vendor-credits')
 @ApiTags('Vendor Credits')
 @ApiCommonHeaders()
 @ApiExtraModels(ValidateBulkDeleteResponseDto)
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class VendorCreditsController {
   constructor(
     private readonly vendorCreditsApplication: VendorCreditsApplicationService,
   ) { }
 
   @Post('validate-bulk-delete')
+  @RequirePermission(VendorCreditAction.Delete, AbilitySubject.VendorCredit)
   @ApiOperation({
     summary:
       'Validates which vendor credits can be deleted and returns the results.',
@@ -58,6 +66,7 @@ export class VendorCreditsController {
   }
 
   @Post('bulk-delete')
+  @RequirePermission(VendorCreditAction.Delete, AbilitySubject.VendorCredit)
   @ApiOperation({ summary: 'Deletes multiple vendor credits.' })
   @ApiResponse({
     status: 200,
@@ -73,24 +82,28 @@ export class VendorCreditsController {
   }
 
   @Post()
+  @RequirePermission(VendorCreditAction.Create, AbilitySubject.VendorCredit)
   @ApiOperation({ summary: 'Create a new vendor credit.' })
   async createVendorCredit(@Body() dto: CreateVendorCreditDto) {
     return this.vendorCreditsApplication.createVendorCredit(dto);
   }
 
   @Put(':id/open')
+  @RequirePermission(VendorCreditAction.Edit, AbilitySubject.VendorCredit)
   @ApiOperation({ summary: 'Open the given vendor credit.' })
   async openVendorCredit(@Param('id') vendorCreditId: number) {
     return this.vendorCreditsApplication.openVendorCredit(vendorCreditId);
   }
 
   @Get()
+  @RequirePermission(VendorCreditAction.View, AbilitySubject.VendorCredit)
   @ApiOperation({ summary: 'Retrieves the vendor credits.' })
   async getVendorCredits(@Query() filterDTO: IVendorCreditsQueryDTO) {
     return this.vendorCreditsApplication.getVendorCredits(filterDTO);
   }
 
   @Put(':id')
+  @RequirePermission(VendorCreditAction.Edit, AbilitySubject.VendorCredit)
   @ApiOperation({ summary: 'Edit the given vendor credit.' })
   async editVendorCredit(
     @Param('id') vendorCreditId: number,
@@ -100,12 +113,14 @@ export class VendorCreditsController {
   }
 
   @Delete(':id')
+  @RequirePermission(VendorCreditAction.Delete, AbilitySubject.VendorCredit)
   @ApiOperation({ summary: 'Delete the given vendor credit.' })
   async deleteVendorCredit(@Param('id') vendorCreditId: number) {
     return this.vendorCreditsApplication.deleteVendorCredit(vendorCreditId);
   }
 
   @Get(':id')
+  @RequirePermission(VendorCreditAction.View, AbilitySubject.VendorCredit)
   @ApiOperation({ summary: 'Retrieves the vendor credit details.' })
   async getVendorCredit(@Param('id') vendorCreditId: number) {
     return this.vendorCreditsApplication.getVendorCredit(vendorCreditId);

packages/server/src/modules/VendorCreditsApplyBills/VendorCreditApplyBills.controller.ts

@@ -1,16 +1,33 @@
-import { Body, Controller, Delete, Get, Param, Post } from '@nestjs/common';
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Param,
+  Post,
+  UseGuards,
+} from '@nestjs/common';
 import { VendorCreditApplyBillsApplicationService } from './VendorCreditApplyBillsApplication.service';
 import { IVendorCreditApplyToInvoicesDTO } from './types/VendorCreditApplyBills.types';
 import { ApiTags } from '@nestjs/swagger';
+import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { VendorCreditAction } from '../VendorCredit/types/VendorCredit.types';
 
 @Controller('vendor-credits')
 @ApiTags('Vendor Credits Apply Bills')
+@ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class VendorCreditApplyBillsController {
   constructor(
     private readonly vendorCreditApplyBillsApplication: VendorCreditApplyBillsApplicationService,
   ) {}
 
   @Get(':vendorCreditId/bills-to-apply')
+  @RequirePermission(VendorCreditAction.View, AbilitySubject.VendorCredit)
   async getVendorCreditToApplyBills(
     @Param('vendorCreditId') vendorCreditId: number,
   ) {
@@ -20,6 +37,7 @@ export class VendorCreditApplyBillsController {
   }
 
   @Post(':vendorCreditId/apply-to-bills')
+  @RequirePermission(VendorCreditAction.Edit, AbilitySubject.VendorCredit)
   async applyVendorCreditToBills(
     @Param('vendorCreditId') vendorCreditId: number,
     @Body() applyCreditToBillsDTO: IVendorCreditApplyToInvoicesDTO,
@@ -31,6 +49,7 @@ export class VendorCreditApplyBillsController {
   }
 
   @Delete('applied-bills/:vendorCreditAppliedBillId')
+  @RequirePermission(VendorCreditAction.Edit, AbilitySubject.VendorCredit)
   async deleteAppliedBillToVendorCredit(
     @Param('vendorCreditAppliedBillId') vendorCreditAppliedBillId: number,
   ) {
@@ -40,6 +59,7 @@ export class VendorCreditApplyBillsController {
   }
 
   @Get(':vendorCreditId/applied-bills')
+  @RequirePermission(VendorCreditAction.View, AbilitySubject.VendorCredit)
   async getAppliedBillsToVendorCredit(
     @Param('vendorCreditId') vendorCreditId: number,
   ) {

packages/server/src/modules/VendorCreditsRefund/VendorCreditsRefund.controller.ts

@@ -1,11 +1,27 @@
-import { Body, Controller, Delete, Get, Param, Post } from '@nestjs/common';
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Param,
+  Post,
+  UseGuards,
+} from '@nestjs/common';
 import { VendorCreditsRefundApplication } from './VendorCreditsRefund.application';
 import { RefundVendorCredit } from './models/RefundVendorCredit';
 import { ApiOperation, ApiTags } from '@nestjs/swagger';
 import { RefundVendorCreditDto } from './dtos/RefundVendorCredit.dto';
+import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { VendorCreditAction } from '../VendorCredit/types/VendorCredit.types';
 
 @Controller('vendor-credits')
 @ApiTags('Vendor Credits Refunds')
+@ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class VendorCreditsRefundController {
   constructor(
     private readonly vendorCreditsRefundApplication: VendorCreditsRefundApplication,
@@ -17,6 +33,7 @@ export class VendorCreditsRefundController {
    * @returns {Promise<IRefundVendorCreditPOJO[]>}
    */
   @Get(':vendorCreditId/refund')
+  @RequirePermission(VendorCreditAction.View, AbilitySubject.VendorCredit)
   @ApiOperation({ summary: 'Retrieve the vendor credit refunds graph.' })
   public getVendorCreditRefunds(
     @Param('vendorCreditId') vendorCreditId: string,
@@ -33,6 +50,7 @@ export class VendorCreditsRefundController {
    * @returns {Promise<RefundVendorCredit>}
    */
   @Post(':vendorCreditId/refund')
+  @RequirePermission(VendorCreditAction.Refund, AbilitySubject.VendorCredit)
   @ApiOperation({ summary: 'Create a refund for the given vendor credit.' })
   public async createRefundVendorCredit(
     @Param('vendorCreditId') vendorCreditId: string,
@@ -50,6 +68,7 @@ export class VendorCreditsRefundController {
    * @returns {Promise<void>}
    */
   @Delete('refunds/:refundCreditId')
+  @RequirePermission(VendorCreditAction.Refund, AbilitySubject.VendorCredit)
   @ApiOperation({ summary: 'Delete a refund for the given vendor credit.' })
   public async deleteRefundVendorCredit(
     @Param('refundCreditId') refundCreditId: string,

packages/server/src/modules/Vendors/Vendors.controller.ts

@@ -7,6 +7,7 @@ import {
   Post,
   Put,
   Query,
+  UseGuards,
 } from '@nestjs/common';
 import { VendorsApplication } from './VendorsApplication.service';
 import { VendorOpeningBalanceEditDto } from './dtos/VendorOpeningBalanceEdit.dto';
@@ -24,44 +25,56 @@ import {
   BulkDeleteVendorsDto,
   ValidateBulkDeleteVendorsResponseDto,
 } from './dtos/BulkDeleteVendors.dto';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { VendorAction } from '../Customers/types/Customers.types';
 
 @Controller('vendors')
 @ApiTags('Vendors')
 @ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class VendorsController {
   constructor(private vendorsApplication: VendorsApplication) {}
 
   @Get()
+  @RequirePermission(VendorAction.View, AbilitySubject.Vendor)
   @ApiOperation({ summary: 'Retrieves the vendors.' })
   getVendors(@Query() filterDTO: GetVendorsQueryDto) {
     return this.vendorsApplication.getVendors(filterDTO);
   }
 
   @Get(':id')
+  @RequirePermission(VendorAction.View, AbilitySubject.Vendor)
   @ApiOperation({ summary: 'Retrieves the vendor details.' })
   getVendor(@Param('id') vendorId: number) {
     return this.vendorsApplication.getVendor(vendorId);
   }
 
   @Post()
+  @RequirePermission(VendorAction.Create, AbilitySubject.Vendor)
   @ApiOperation({ summary: 'Create a new vendor.' })
   createVendor(@Body() vendorDTO: CreateVendorDto) {
     return this.vendorsApplication.createVendor(vendorDTO);
   }
 
   @Put(':id')
+  @RequirePermission(VendorAction.Edit, AbilitySubject.Vendor)
   @ApiOperation({ summary: 'Edit the given vendor.' })
   editVendor(@Param('id') vendorId: number, @Body() vendorDTO: EditVendorDto) {
     return this.vendorsApplication.editVendor(vendorId, vendorDTO);
   }
 
   @Delete(':id')
+  @RequirePermission(VendorAction.Delete, AbilitySubject.Vendor)
   @ApiOperation({ summary: 'Delete the given vendor.' })
   deleteVendor(@Param('id') vendorId: number) {
     return this.vendorsApplication.deleteVendor(vendorId);
   }
 
   @Put(':id/opening-balance')
+  @RequirePermission(VendorAction.Edit, AbilitySubject.Vendor)
   @ApiOperation({ summary: 'Edit the given vendor opening balance.' })
   editOpeningBalance(
     @Param('id') vendorId: number,
@@ -74,6 +87,7 @@ export class VendorsController {
   }
 
   @Post('validate-bulk-delete')
+  @RequirePermission(VendorAction.Delete, AbilitySubject.Vendor)
   @ApiOperation({
     summary:
       'Validates which vendors can be deleted and returns counts of deletable and non-deletable vendors.',
@@ -93,6 +107,7 @@ export class VendorsController {
   }
 
   @Post('bulk-delete')
+  @RequirePermission(VendorAction.Delete, AbilitySubject.Vendor)
   @ApiOperation({ summary: 'Deletes multiple vendors in bulk.' })
   @ApiResponse({
     status: 200,

packages/webapp/src/components/FinancialSheet/ReportDataTable.tsx

@@ -4,7 +4,12 @@ import styled from 'styled-components';
 import { DataTable } from '../Datatable';
 
 export const ReportDataTable = styled(DataTable)`
+  --x-table-no-results-border-color: #ddd;
+
+  .bp4-dark & {
+    --x-table-no-results-border-color: var(--color-dark-gray5);
+  }
   .table .tbody .tr.no-results:last-of-type .td {
-    border-bottom: 1px solid #ddd;
+    border-bottom: 1px solid var(--x-table-no-results-border-color);
   }
 `;

packages/webapp/src/components/Preferences/PreferencesSidebar.tsx

@@ -3,7 +3,7 @@ import React from 'react';
 import { Menu, MenuItem, MenuDivider } from '@blueprintjs/core';
 import { useHistory, useLocation } from 'react-router-dom';
 import { FormattedMessage as T } from '@/components';
-import preferencesMenu from '@/constants/preferencesMenu';
+import { PreferencesMenu } from '@/constants/preferencesMenu';
 import PreferencesSidebarContainer from './PreferencesSidebarContainer';
 
 import '@/style/pages/Preferences/Sidebar.scss';
@@ -15,7 +15,7 @@ export default function PreferencesSidebar() {
   const history = useHistory();
   const location = useLocation();
 
-  const items = preferencesMenu.map((item) =>
+  const items = PreferencesMenu.map((item) =>
     item.divider ? (
       <MenuDivider title={item.title} />
     ) : (

packages/webapp/src/components/TextStatus/index.tsx

@@ -10,12 +10,17 @@ const TextStatusRoot = styled.span`
   ${(props) =>
     props.intent === 'warning' &&
     `
-  color: #ec5b0a;`}
+  color: #c87619;`}
+
+  ${(props) =>
+    props.intent === 'danger' &&
+    `
+  color: #f17377;`}
 
   ${(props) =>
     props.intent === 'success' &&
     `
-  color: #2ba01d;`}
+  color: #238551;`}
 
   ${(props) =>
     props.intent === 'none' &&