API — Leave
Purpose
Leave requests and their two-step approval chain.
Auth & roles
Base /api/leave-requests · class [Authorize]. Gates: leave_request.submit (submit), leave_request.view_own / leave_request.view_all (read), leave_request.approve (approve/reject). The approve gate is held by SYS_ADMIN + HR_ADMIN + MANAGER + SUPERVISOR (see RBAC matrix).
Endpoints
| Method | Path | Purpose | Gate |
|---|---|---|---|
| GET | /api/leave-requests |
List (all, for approvers) | leave_request.view_all |
| POST | /api/leave-requests |
Submit a request | leave_request.submit |
| GET | /api/leave-requests/{id} |
Request detail | leave_request.view_own |
| PATCH | /api/leave-requests/{id}/approve |
Approve a step | leave_request.approve |
| PATCH | /api/leave-requests/{id}/reject |
Reject | leave_request.approve |
| PATCH | /api/leave-requests/{id}/cancel |
Cancel own request | leave_request.view_own |
Shapes & errors
A request flows through a 2-step Manager → HR_Admin approval chain (leave_requests + leave_approval_steps, sheet 11). The LEAVE_CONFLICT allocation rule reads real leave data. Standard ProblemDetails.
Gotchas
- No leave-type taxonomy. There is no Annual/Sick/Vacation classification — a request has no
LeaveType(sheet 11). Don't expect a type field. - Cancel sets status, not soft-delete. Cancelling sets
Status = Cancelled; it does not setIsDeleted(sheet 01 edge-cases). - Two approval gates coexist — the step chain uses
leave_request.approve; a legacyleave.approvegate (SYS_ADMIN + MANAGER) also exists. Check which a given path uses.
Related
- Submit & track leave (task) · Approve leave (task)
- Swagger:
/swagger· Fact sheet 11 (leave management).