Issue in Updating a application status.

[vipinvijay1986]

Dear Team,
We have seen a security issue in /update functionality of the water, sewerage, and TL module ( possibly other modules also ) as they update the workflow and application based on the current state and valid role.

But this has a flaw for the PAY action, if the citizen does not do the payment and calls the update functionality directly then it will move the application to the next state without verifying the payment status.
I could find the immediate fix by putting the condition on the endpoint itself that PAY should not be allowed but it's not a generic solution because PAY action is allowed for citizens but application updates should happen only via KAFKA.

To reproduce the issue do the following steps :

1. Create water /TL application
2. Move the application for "Pending For Payment" / Citizen action for Pay
3. Call the /update endpoint using citizen token.

I have seen this problem in the V2.2 release and verified it in the recent version also. Please ignore this if the issue is already fixed.