Updated Acq stock perms overrides custom perm groups
Bug #1908749 reported by
Tiffany Little
This bug affects 4 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
New
|
Undecided
|
Unassigned |
Bug Description
Testing on a 3.6.1 system.
The fund drop-down list for direct charges on invoices can see funds that do not belong to your org. To test:
1. Go to Acquisitions > Create Invoice.
2. Add a direct charge.
3. You can see other orgs' funds, even though you don't have perms there.
As far as I can tell, other fund dropdowns are not affected, like the batch updater in PO's or the fund dropdown on PO direct charges.
description: | updated |
To post a comment you must log in.
Updating this bug after some more investigation.
I'm thinking that the fix for bug 1862022 is responsible here.
I looked through the code in invoice.js, and one of the required perms is ADMIN_INVOICE. So on our production server running 3.4.2, I pulled up that perm on our SYSTEM-ACQADMIN perm profile. It's set at 1.
On our test server running 3.6.1, I did the same thing. But now there's the stock Acquisitions perm for ADMIN_INVOICE, set at consortium level. (See screenshot)
When the perms are set like this, I get the result of my original bug report--because setFundFilter is set to look for your orgs+desc and it's set at CONS, it lets me see all consortium funds.
On the 3.6.1 server, when I removed the ADMIN_INVOICE perm completely from the Acquisitions perm profile, I can correctly only see system-level funds.
Looking at our Acquisitions perm profile on production, it's pretty pared down. I don't have a 3.4 stock server to see what they looked like before the fix, so I don't know if I gutted it or it was that sparse beforehand.
Would it be the upgrade script that's responsible here? If the schema was just updated, would sites that have already customized their Acquisitions perm group be unaffected? But since there's an upgrade script, it forces the change?