Producer reports - incorrect and unauthorized data issues

[pragai]

Description

In several producer reports there are some columns and/or search fields that contain data that should not be available to the producer or otherwise the information is not correct. I tested it with a producer who is set not to see customer data. But not just customer name, email, but other producers products and stock quantities are shown, or sometimes simply invalid sums.

There are 9 diferent cases described below.

Expected Behavior

Show only information to the producer that he is authorized to see.

Actual Behaviour

Unauthorized or otherwise faulty data is shown.

Steps to Reproduce

User: [email protected]
Pwd: Kosar2024!

I tested it with a producer who is set not to see customer data. The following issues occurred:

1. https://openfood.hu/admin/reports/bulk_coop/customer_payments - Bulk Co-op customer subscriptions - customer names, purchase totals (not producer's own, but the full total )

2. https://openfood.hu/admin/reports/payments/itemised_payment_totals - Payment by Item Amounts - purchase totals (not producer's own, not even the full total )

3. https://openfood.hu/admin/reports/payments/payment_totals - Payment amounts - purchase totals (not producer's own, not even the full total )

4. https://openfood.hu/admin/reports/orders_and_fulfillment/order_cycle_supplier_totals - Order Cycle Supplier totals - in the product finder you can see all products of all producers and their stocks

5. https://openfood.hu/admin/reports/orders_and_fulfillment/order_cycle_supplier_totals_by_distributor - Cycle Supplier totals by Distributor - all products of all producers and their stocks are shown in the product finder

6. https://openfood.hu/admin/reports/orders_and_fulfillment/order_cycle_distributor_totals_by_supplier - Order Cycle Distributor totals by Supplier - all products of all producers and their stocks are shown in the product finder

7. https://openfood.hu/admin/reports/enterprise_fee_summary/fee_summary - Summary of contractor fees - all producers are visible, the name of the buyer is visible

8. https://openfood.hu/admin/reports/enterprise_fee_summary/enterprise_fees_with_tax_report_by_order - Business rates tax reports by order - All buyers' email addresses are visible

9. https://openfood.hu/admin/reports/enterprise_fee_summary/enterprise_fees_with_tax_report_by_producer - Business rates by producer tax return - Show buyers' email addresses

Animated Gif/Screenshot

Workaround

If we want to show only authorized and correct info to the producers, then there is no workaround.

Severity

Your Environment

• Version used:
• Browser name and version:
• Operating System and version (desktop or mobile):

Possible Fix