LP#16663435 - Stripe org settings lack view permissions.
authorChris Sharp <csharp@georgialibraries.org>
Tue, 14 Feb 2017 18:27:31 +0000 (13:27 -0500)
committerGalen Charlton <gmc@equinoxinitiative.org>
Thu, 16 Feb 2017 21:59:58 +0000 (16:59 -0500)
commite664df4cb7d02b5e5c29890c62cd0cb5c4a8883e
tree45b3db0e1d331ee5d3a587612a0dfebb081cd060
parent500b7273183d62a1de67bbac6f0eafa8582bcb59
LP#16663435 - Stripe org settings lack view permissions.

Unprivileged users can retrieve organizational unit setting values
for setting types lacking a "view" permission.  When the feature adding
Stripe credit card processing was added, the upgrade script neglected to
add the VIEW_CREDIT_CARD_PROCESSING permission to the organizational unit
setting type (which was included in 0396.data.org-setting-payflowpro.sql).

Fresh installs are not affected, but anyone who upgraded through 0863.data.stripe-payments.sql
(included in the 2.5.3-2.6.0-upgrade-db.sql version upgrade script) and is
using Stripe credit card processing should run this script.

Signed-off-by: Chris Sharp <csharp@georgialibraries.org>
Signed-off-by: Jason Stephenson <jason@sigio.com>
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql [new file with mode: 0644]