From a02bcf5bd3c2e67e9c32885e5a72c84682e3677e Mon Sep 17 00:00:00 2001 From: Jason Stephenson Date: Tue, 14 Feb 2017 15:12:47 -0500 Subject: [PATCH] LP#16663435 - Release Note for Missing Stripe Settings Permissions Signed-off-by: Jason Stephenson Signed-off-by: Galen Charlton --- .../stripe_settings_permission.adoc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 docs/RELEASE_NOTES_NEXT/Administration/stripe_settings_permission.adoc diff --git a/docs/RELEASE_NOTES_NEXT/Administration/stripe_settings_permission.adoc b/docs/RELEASE_NOTES_NEXT/Administration/stripe_settings_permission.adoc new file mode 100644 index 0000000000..84ca344090 --- /dev/null +++ b/docs/RELEASE_NOTES_NEXT/Administration/stripe_settings_permission.adoc @@ -0,0 +1,15 @@ +Credit Processor Stripe Settings Permissions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Unprivileged users can retrieve organizational unit setting values for +setting types lacking a "view" permission. When the feature adding +Stripe credit card processing was added, the upgrade script neglected +to add the VIEW_CREDIT_CARD_PROCESSING permission to the +organizational unit setting type. This means that anyone can retrieve +and view the settings for Stripe credit card processing. + +Any system that upgraded from Evergreen version 2.5 to 2.6 is +affected. If you use Stripe for credit card processing, it is +strongly recommended that you apply this upgrade. Even if you do not +use Stripe, applying this upgrade is still recommended. If you did +not upgrade from version 2.5 to 2.6 of Evergreen, but started with a +later version, applying this upgrade is harmless. -- 2.43.2