Unauthorized user can view and edit transactions from a bank account he/she doesn't have access to

We have a situation where an unauthorized user can view and edit the transactions from a bank account that he/she doesn’t have permission to view/edit according to the user’s permissions.

The use case is the following:

Under user permissions, User A has access to Bank Account A ONLY. In addition, he also has access to Reports and Balance Sheet. When User A is viewing the Balance Sheet report, he sees the Cash & cash equivalents amount. However, when he clicks it, he is able to see the balance of Bank Accounts A and B (which he doesn’t have access to). If he clicks on the balance of Bank Account B which he doesn’t have access to, he can even see the movements. Last but not least, the user is also able to edit those transactions.

This doesn’t feel right, a possible solution is that the balance on Cash & cash equivalents is not a link to its details for User A since he doesn’t have permission to see the other bank accounts.

Any ideas/solutions are welcome. Thanks!

The principle here is that they have access to balance sheet and that gives them access to see account balance of any account including being able to see how these account balances are calculated.

How come this user can see balance sheet but not some specific account (e.g. bank account) ? What’s the use case?

Hello @lubos, nice hearing from you.

Our use case is that User A should only be able to see aggregate data from the Balance Sheet and be able to see the details (movements) of the accounts he/she has access to.

The current version of Manager allows a user who doesn’t even have view access to an account to edit transactions within that account (through the Balance Sheet report for example). The system could be more restrictive if the user doesn’t have access to a specific bank account.

I appreciate your help!

2 Likes

I agree that this an issue and needs to be looked into.

Cause you would not want your accountant over sales, restricted to only account A,
being able to edit what the accountant over banking, is doing in account B.