50 if (!accessChecker.isUserMemberOfGroup(user, FINANCE_GROUP))
51 return false ← gate: finance group required
53 if (accessChecker.isUserMemberOfAdminGroup(user))
54 return true ← bypass: admins always have access
57 if (!accessChecker.isUserMemberOfGroup(user, FINANCE_GROUP))
58 return false ← redundant: same check as line 50
61 if (obj == null && oldObj == null)
62 return true ← null objects = general read access
65 return BaseUserGroupRightUtils.hasAccess(...) ← check object-level rights
Is user in FINANCE_GROUP?
├─ NO → denied
└─ YES → Is user an admin?
├─ YES → granted (admin override)
└─ NO → Is object null (new record or general query)?
├─ YES → granted (read access for all finance members)
└─ NO → Check object-level rights via BaseUserGroupRightUtils
├─ has rights → granted
└─ no rights → denied
DAO for bank accounts — the parent entity of BankAccountBalanceDO (#46). Same pattern as BankAccountBalanceDao (#45): extends
BaseDao, overrideshasAccess()andnewInstance(). Called by BankAccountBalanceDao.hasAccess() line 68 as the authorization delegate.