CRITICAL SECURITY BUG: Any Employee Can Reject Any Leave Application Due to Missing Authorization Check

A critical security vulnerability has been exposed in a leave management system, allowing any authenticated employee to reject any leave application across the entire organization. The flaw was discovered during end-to-end testing, where an employee with ID 527 successfully rejected a leave application owned by a colleague, despite not being the assigned manager or approver. This bypasses all intended access controls, effectively granting universal rejection privileges to the entire workforce.

The vulnerability resides in the `PUT /api/v1/leave/applications/:id/reject` endpoint. While the corresponding `/approve` endpoint correctly enforces authorization by returning a 403 "Not authorized" error, the `/reject` endpoint lacks this fundamental security check. The root cause is a missing validation step to confirm the caller is the authorized approver, a check that is present and functional in the approval logic. This creates a glaring inconsistency and a severe privilege escalation risk.

The impact is immediate and organization-wide. Any user with a standard employee login can interfere with HR operations, disrupt workforce planning, and potentially harass colleagues by arbitrarily denying their time-off requests. This flaw represents a fundamental failure in access control that compromises system integrity and trust. The suggested fix is to implement the identical authorization check from the approve handler into the reject handler within the leave service to restore proper role-based permissions.