Skip to content

Fix team-owned invoice edit permissions#669

Open
Fanwize wants to merge 1 commit intoTreyWW:mainfrom
Fanwize:fix-team-invoice-permissions
Open

Fix team-owned invoice edit permissions#669
Fanwize wants to merge 1 commit intoTreyWW:mainfrom
Fanwize:fix-team-invoice-permissions

Conversation

@Fanwize
Copy link
Copy Markdown

@Fanwize Fanwize commented May 10, 2026

Description

Fixes a permission bug in the invoice edit endpoint for team-owned invoices.

The endpoint previously performed manual permission checks against both the active team and the invoice user. For team-owned invoices, invoice.organization is set while invoice.user may be empty. This meant that a user logged in as the owning team could still be incorrectly rejected with a 403 response.

This PR replaces the duplicated manual permission check with the existing invoice.has_access(request.user) helper, which already handles both personal and team-owned invoices.

Regression tests were added for:

  • allowing a team member to edit an invoice owned by their active team
  • rejecting a user who is not currently acting in the matching team context

No new dependencies are required.

Checklist

  • Ran the Black Formatter and
    djLint-er on any new code
  • Made any changes or additions to the documentation where required
  • Changes generate no new warnings/errors
  • New and existing unit tests pass locally with my
    changes

What type of PR is this?

  • 🐛 Bug Fix

Added/updated tests?

  • 👍 yes

Related PRs, Issues etc

  • Related Issue: N/A

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Fanwize