As of 6.x-1.9, I see no way to allow a client to view invoiceitems of their organization without allowing them to view the invoiceitems of other organizations, if they guessed the urls. We need a "view of user organization" permission for invoiceitems, which functions exactly the same way as the same named permissions for invoices, etc.

Comments

Roberto Gerola’s picture

Roberto Gerola commented

I've added a permission check based on invoice privileges for children invoice items.
Committed on cvs for dev version for testing.

Let me know.

Thanks, Roberto

Roberto Gerola’s picture

Roberto Gerola commented
Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.