Permissions conflict - View client permissions allows Users to see financial data

itcosc.com · January 19, 2023, 1:01am

Good afternoon,

I’ve added a user onto IN to begin recording his time spent on client projects; however, I’m forced to give him Client View permissions or he loses the ability to select a client when creating a new Task.

Adding this Client View permissions also gives this same user the ability to view financial information of each client… specifically they can view the total balance paid by the client which is essentially all of the business GROSS revenue. This staff member simply creates a new task and should be able to select a client from the drop down bar, enter task details and save it.

If I remove the permission to view clients, he looses the ability to select a client from the drop down menu, forcing him to create new clients or leave it blank for me to do double the work and manually fix each entry.

Please help me find a work around and or if this is a bug, can we fix it? I assume anyone creating a Task should be able to select a client and not be forced to leave it blank.

david · January 19, 2023, 2:42am

@hillel

I can send back a filtered list of clients

id, name, number, id_number and the contacts array by using ?filter_details=true on api/v1/clients as a solution for this?

enabling this could be a setting?

hillel · January 19, 2023, 6:00am

I think a simpler option may be to return the client balance and paid to date as 0 if the user doesn’t have permission to view all invoices.

itcosc.com · January 20, 2023, 2:24am

I agree with David. Let’s make it a feature.