Comment 1 for bug 1908749
Revision history for this message
| Tiffany Little (tslittle) wrote Re: Direct charges on invoice can see funds from other orgs | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Updating this bug after some more investigation.
I'm thinking that the fix for bug 1862022 is responsible here.
I looked through the code in invoice.js, and one of the required perms is ADMIN_INVOICE. So on our production server running 3.4.2, I pulled up that perm on our SYSTEM-ACQADMIN perm profile. It's set at 1.
On our test server running 3.6.1, I did the same thing. But now there's the stock Acquisitions perm for ADMIN_INVOICE, set at consortium level. (See screenshot)
When the perms are set like this, I get the result of my original bug report--because setFundFilter is set to look for your orgs+desc and it's set at CONS, it lets me see all consortium funds.
On the 3.6.1 server, when I removed the ADMIN_INVOICE perm completely from the Acquisitions perm profile, I can correctly only see system-level funds.
Looking at our Acquisitions perm profile on production, it's pretty pared down. I don't have a 3.4 stock server to see what they looked like before the fix, so I don't know if I gutted it or it was that sparse beforehand.
Would it be the upgrade script that's responsible here? If the schema was just updated, would sites that have already customized their Acquisitions perm group be unaffected? But since there's an upgrade script, it forces the change?